Upgrade gson and grpc to address CVE-2022-25647

Upgraded gson to version 2.8.9 and grpc to version 1.68.0 to fix security vulnerability CVE-2022-25647. Versions of com.google.code.gson:gson prior to 2.8.9 were susceptible to deserialization of untrusted data through the writeReplace() method in internal classes, potentially leading to a Denial of Service (DoS) attack. This update ensures safer data handling and mitigates the risk of exploitation from this vulnerability. Co-authored-by: infvg <ialhazmim@gmail.com> Resolves: CVE-2022-25647
unix280 · Nov 18, 2024 · 88e7f08 · 88e7f08
1 parent 0f14d47
commit 88e7f08
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 7 deletions.
diff --git a/pom.xml b/pom.xml
@@ -94,7 +94,7 @@
         <air.test.parallel>methods</air.test.parallel>
         <air.test.thread-count>2</air.test.thread-count>
         <air.test.jvmsize>4g</air.test.jvmsize>
-        <grpc.version>1.64.0</grpc.version>
+        <grpc.version>1.68.0</grpc.version>
 
         <air.javadoc.lint>-missing</air.javadoc.lint>
     </properties>

diff --git a/presto-bigquery/pom.xml b/presto-bigquery/pom.xml
@@ -14,6 +14,7 @@
 
     <properties>
         <air.main.basedir>${project.parent.basedir}</air.main.basedir>
+        <grpc.version>1.68.0</grpc.version>
     </properties>
 
     <dependencyManagement>
@@ -77,21 +78,21 @@
             <dependency>
                 <groupId>io.grpc</groupId>
                 <artifactId>grpc-context</artifactId>
-                <version>1.64.0</version>
+                <version>${grpc.version}</version>
             </dependency>
 
             <dependency>
                 <groupId>io.grpc</groupId>
                 <artifactId>grpc-protobuf-lite</artifactId>
-                <version>1.64.0</version>
+                <version>${grpc.version}</version>
             </dependency>
 
             <!-- Pinned version is required. -->
             <!-- It is a transitive dependency of gRPC and bigquerystorage libraries -->
             <dependency>
                 <groupId>io.perfmark</groupId>
                 <artifactId>perfmark-api</artifactId>
-                <version>0.26.0</version>
+                <version>0.27.0</version>
             </dependency>
         </dependencies>
     </dependencyManagement>

diff --git a/presto-function-namespace-managers/pom.xml b/presto-function-namespace-managers/pom.xml
@@ -15,6 +15,16 @@
         <air.main.basedir>${project.parent.basedir}</air.main.basedir>
     </properties>
 
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>com.google.code.gson</groupId>
+                <artifactId>gson</artifactId>
+                <version>2.8.9</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <dependency>
             <groupId>com.facebook.airlift</groupId>

diff --git a/presto-pinot-toolkit/pom.xml b/presto-pinot-toolkit/pom.xml
@@ -14,7 +14,7 @@
 
     <properties>
         <air.main.basedir>${project.parent.basedir}</air.main.basedir>
-        <grpc.version>1.41.0</grpc.version>
+        <grpc.version>1.68.0</grpc.version>
     </properties>
 
     <dependencies>
@@ -383,7 +383,7 @@
         <dependency>
             <groupId>io.perfmark</groupId>
             <artifactId>perfmark-api</artifactId>
-            <version>0.23.0</version>
+            <version>0.27.0</version>
         </dependency>
 
         <dependency>

diff --git a/presto-pinot/pom.xml b/presto-pinot/pom.xml
@@ -14,7 +14,7 @@
 
     <properties>
         <air.main.basedir>${project.parent.basedir}</air.main.basedir>
-        <grpc.version>1.41.0</grpc.version>
+        <grpc.version>1.68.0</grpc.version>
     </properties>
 
     <dependencies>