fix[SP-7345]: Exclude bcprov-jdk15on from emr770

[befc]

This pull request makes a minor update to the dependency exclusions in the shims/emr770/driver/pom.xml file. The main change is the addition of an exclusion for the org.bouncycastle:bcprov-jdk15on dependency.

Dependency management:

• shims/emr770/driver/pom.xml: Added an exclusion for the org.bouncycastle:bcprov-jdk15on library to prevent it from being included as a transitive dependency.

[Copilot]

Pull request overview

Adds an exclusion for the legacy org.bouncycastle:bcprov-jdk15on transitive dependency from hadoop-common in the EMR 770 shim driver. This aligns EMR 770 with other shims (apache, apachevanilla, hdi40) that already exclude bcprov-jdk15on so that the modern Bouncy Castle artifacts (jdk15to18 variants already declared in EMR 770) are used without conflict.

Changes:

• Add org.bouncycastle:bcprov-jdk15on exclusion under the hadoop-common dependency in the EMR 770 driver POM.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[hitachivantarasonarqube]

Quality Gate passed

Issues

• 0 New Issues
• 0 Fixed Issues
• 0 Accepted Issues

Measures

• 0 Security Hotspots
• No data about coverage
• 0.00% Duplicated Code (0.00% Estimated after merge)

Project ID: org.pentaho:pentaho-hadoop-shims

View in SonarQube

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
Critical	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-42584
Critical	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-42581
Critical	io.netty:netty-codec-dns:4.1.128.Final	io.netty:netty-codec-dns 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-42579
High	io.netty:netty-codec-mqtt:4.1.128.Final	io.netty:netty-codec-mqtt 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-44248
High	io.netty:netty-codec-http2:4.1.128.Final	io.netty:netty-codec-http2 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-42587
High	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-42587
High	io.netty:netty-codec-redis:4.1.128.Final	io.netty:netty-codec-redis 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-42586
High	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-42585
High	io.netty:netty-codec:4.1.128.Final	io.netty:netty-codec 4.1.128.Final	[4.1.133.Final]	CVE-2026-42583
High	io.netty:netty-handler-proxy:4.1.128.Final	io.netty:netty-handler-proxy 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-42578
High	io.netty:netty-codec-http2:4.1.128.Final	io.netty:netty-codec-http2 4.1.128.Final	[4.1.132.Final] [4.2.11.Final]	CVE-2026-33871
High	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.132.Final] [4.2.10.Final]	CVE-2026-33870
Medium	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-42580
Medium	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.133.Final] [4.2.13.Final]	CVE-2026-41417
Medium	io.netty:netty-codec-http:4.1.128.Final	io.netty:netty-codec-http 4.1.128.Final	[4.1.129.Final] [4.2.8.Final]	CVE-2025-67735

🔬 Research Details

[ CVE-2026-42584 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpClientCodec pairs each inbound response with an outbound request by queue.poll() once per response, including for 1xx. If the client pipelines GET then HEAD and the server sends 103, then 200 with GET body, then 200 for HEAD, the queue pairs HEAD with the first 200. The HEAD rule then skips reading that message’s body, so the GET entity bytes stay on the stream and the following 200 is parsed from the wrong offset. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-42581 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpObjectDecoder strips a conflicting Content-Length header when a request carries both Transfer-Encoding: chunked and Content-Length, but only for HTTP/1.1 messages. The guard is absent for HTTP/1.0. An attacker that sends an HTTP/1.0 request with both headers causes Netty to decode the body as chunked while leaving Content-Length intact in the forwarded HttpMessage. Any downstream proxy or handler that trusts Content-Length over Transfer-Encoding will disagree on message boundaries, enabling request smuggling. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-42579 ] io.netty:netty-codec-dns 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's DNS codec does not enforce RFC 1035 domain name constraints during either encoding or decoding. This creates a bidirectional attack surface: malicious DNS responses can exploit the decoder, and user-influenced hostnames can exploit the encoder. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-44248 ] io.netty:netty-codec-mqtt 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the MQTT 5 header Properties section is parsed and buffered before any message size limit is applied. Specifically, in MqttDecoder, the decodeVariableHeader() method is called before the bytesRemainingBeforeVariableHeader > maxBytesInMessage check. The decodeVariableHeader() can call other methods which will call decodeProperties(). Effectively, Netty does not apply any limits to the size of the properties being decoded. Additionally, because MqttDecoder extends ReplayingDecoder, Netty will repeatedly re-parse the enormous Properties sections and buffer the bytes in memory, until the entire thing parses to completion. This can cause high resource usage in both CPU and memory. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-42587 ] io.netty:netty-codec-http2 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-42587 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, HttpContentDecompressor accepts a maxAllocation parameter to limit decompression buffer size and prevent decompression bomb attacks. This limit is correctly enforced for gzip and deflate encodings via ZlibDecoder, but is silently ignored when the content encoding is br (Brotli), zstd, or snappy. An attacker can bypass the configured decompression limit by sending a compressed payload with Content-Encoding: br instead of Content-Encoding: gzip, causing unbounded memory allocation and out-of-memory denial of service. The same vulnerability exists in DelegatingDecompressorFrameListener for HTTP/2 connections. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-42586 ] io.netty:netty-codec-redis 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, the Netty Redis codec encoder (RedisEncoder) writes user-controlled string content directly to the network output buffer without validating or sanitizing CRLF (\r\n) characters. Since the Redis Serialization Protocol (RESP) uses CRLF as the command/response delimiter, an attacker who can control the content of a Redis message can inject arbitrary Redis commands or forge fake responses. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-42585 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty incorrectly parses malformed Transfer-Encoding, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-42583 ] io.netty:netty-codec 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Lz4FrameDecoder allocates a ByteBuf of size decompressedLength (up to 32 MB per block) before LZ4 runs. A peer only needs a 21-byte header plus compressedLength payload bytes - 22 bytes if compressedLength == 1 - to force that allocation. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-42578 ] io.netty:netty-handler-proxy 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's HttpProxyHandler constructs HTTP CONNECT requests with header validation explicitly disabled. The newInitialMessage() method creates headers using DefaultHttpHeadersFactory.headersFactory().withValidation(false), then adds user-provided outboundHeaders without any CRLF validation. This allows an attacker who can influence the outbound headers to inject arbitrary HTTP headers into the CONNECT request sent to the proxy server. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-33871 ] io.netty:netty-codec-http2 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on the number of CONTINUATION frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

[ CVE-2026-33870 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

[ CVE-2026-42580 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. Prior to 4.2.13.Final and 4.1.133.Final, Netty's chunk size parser silently overflows int, enabling request smuggling attacks. This vulnerability is fixed in 4.2.13.Final and 4.1.133.Final.

[ CVE-2026-41417 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty allows request-line validation to be bypassed when a DefaultHttpRequest or DefaultFullHttpRequest is created first and its URI is later changed via setUri(). The constructors reject CRLF and whitespace characters that would break the start-line, but setUri() does not apply the same validation. HttpRequestEncoder and RtspEncoder then write the URI into the request line verbatim. If attacker-controlled input reaches setUri(), this enables CRLF injection and insertion of additional HTTP or RTSP requests, leading to HTTP request smuggling or desynchronization on the HTTP side and request injection on the RTSP side. This issue is fixed in versions 4.2.13.Final and 4.1.133.Final.

[ CVE-2025-67735 ] io.netty:netty-codec-http 4.1.128.Final

Description:
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the io.netty.handler.codec.http.HttpRequestEncoder has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when HttpRequestEncoder is used without proper sanitization of the URI. Any application / framework using HttpRequestEncoder can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.

Note:

---

Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system.

---

🐸 JFrog Frogbot