From 20735cedbe9ddc7708d256d5182cd22ee6d5da49 Mon Sep 17 00:00:00 2001
From: Jing Zhang <jngz@amazon.com>
Date: Thu, 20 Feb 2025 22:15:49 -0800
Subject: [PATCH] address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699
 (#3575)

* address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699

Signed-off-by: Jing Zhang <jngz@amazon.com>

* add exact version 2.5.2 for json-smart
hardcode awssdk version to 2.30.18

Signed-off-by: Jing Zhang <jngz@amazon.com>

---------

Signed-off-by: Jing Zhang <jngz@amazon.com>
(cherry picked from commit 4d9546634ef9b56174ddc9efd2c0f65a54d7172f)
---
 common/build.gradle        |  5 ++++-
 memory/build.gradle        |  5 ++++-
 ml-algorithms/build.gradle | 19 +++++++++++--------
 plugin/build.gradle        | 17 ++++++++++-------
 4 files changed, 29 insertions(+), 17 deletions(-)

diff --git a/common/build.gradle b/common/build.gradle
index 88d34aeb2b..5b460e3f52 100644
--- a/common/build.gradle
+++ b/common/build.gradle
@@ -35,7 +35,10 @@ dependencies {
         exclude group: 'com.google.j2objc', module: 'j2objc-annotations'
         exclude group: 'com.google.guava', module: 'listenablefuture'
     }
-    compileOnly 'com.jayway.jsonpath:json-path:2.9.0'
+    compileOnly ('com.jayway.jsonpath:json-path:2.9.0') {
+        exclude group: 'net.minidev', module: 'json-smart'
+    }
+    compileOnly ('net.minidev:json-smart:2.5.2')
     compileOnly("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}")
     compileOnly("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}")
     compileOnly group: 'com.networknt' , name: 'json-schema-validator', version: '1.4.0'
diff --git a/memory/build.gradle b/memory/build.gradle
index db02d8fb7f..0ebfb880e8 100644
--- a/memory/build.gradle
+++ b/memory/build.gradle
@@ -43,7 +43,10 @@ dependencies {
     testImplementation("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}")
     testImplementation("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}")
     testImplementation group: 'com.networknt' , name: 'json-schema-validator', version: '1.4.0'
-    testImplementation 'com.jayway.jsonpath:json-path:2.9.0'
+    testImplementation ('com.jayway.jsonpath:json-path:2.9.0') {
+        exclude group: 'net.minidev', module: 'json-smart'
+    }
+    testImplementation('net.minidev:json-smart:2.5.2')
 }
 
 test {
diff --git a/ml-algorithms/build.gradle b/ml-algorithms/build.gradle
index 7154754d50..58598c7cc9 100644
--- a/ml-algorithms/build.gradle
+++ b/ml-algorithms/build.gradle
@@ -67,21 +67,24 @@ dependencies {
         }
     }
 
-    implementation platform('software.amazon.awssdk:bom:2.29.12')
-    api 'software.amazon.awssdk:auth:2.29.12'
+    implementation platform('software.amazon.awssdk:bom:2.30.18')
+    api 'software.amazon.awssdk:auth:2.30.18'
     implementation 'software.amazon.awssdk:apache-client'
     implementation ('com.amazonaws:aws-encryption-sdk-java:2.4.1') {
         exclude group: 'org.bouncycastle', module: 'bcprov-ext-jdk18on'
     }
     implementation 'org.bouncycastle:bcprov-jdk18on:1.78.1'
 
-    compileOnly group: 'software.amazon.awssdk', name: 'aws-core', version: '2.29.12'
-    compileOnly group: 'software.amazon.awssdk', name: 's3', version: '2.29.12'
-    compileOnly group: 'software.amazon.awssdk', name: 'regions', version: '2.29.12'
+    compileOnly group: 'software.amazon.awssdk', name: 'aws-core', version: "2.30.18"
+    compileOnly group: 'software.amazon.awssdk', name: 's3', version: "2.30.18"
+    compileOnly group: 'software.amazon.awssdk', name: 'regions', version: "2.30.18"
 
-    implementation 'com.jayway.jsonpath:json-path:2.9.0'
+    implementation ('com.jayway.jsonpath:json-path:2.9.0') {
+        exclude group: 'net.minidev', module: 'json-smart'
+    }
+    implementation('net.minidev:json-smart:2.5.2')
     implementation group: 'org.json', name: 'json', version: '20231013'
-    implementation group: 'software.amazon.awssdk', name: 'netty-nio-client', version: '2.29.12'
+    implementation group: 'software.amazon.awssdk', name: 'netty-nio-client', version: "2.30.18"
     testImplementation("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}")
     testImplementation("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}")
     testImplementation group: 'com.networknt' , name: 'json-schema-validator', version: '1.4.0'
@@ -94,7 +97,7 @@ lombok {
 configurations.all {
     resolutionStrategy.force 'com.google.protobuf:protobuf-java:3.25.5'
     resolutionStrategy.force 'org.apache.commons:commons-compress:1.26.0'
-    resolutionStrategy.force 'software.amazon.awssdk:bom:2.29.12'
+    resolutionStrategy.force 'software.amazon.awssdk:bom:2.30.18'
 }
 
 
diff --git a/plugin/build.gradle b/plugin/build.gradle
index c5ec8e2862..a24bf028af 100644
--- a/plugin/build.gradle
+++ b/plugin/build.gradle
@@ -54,15 +54,15 @@ dependencies {
     implementation project(':opensearch-ml-memory')
     compileOnly "com.google.guava:guava:32.1.3-jre"
 
-    implementation group: 'software.amazon.awssdk', name: 'aws-core', version: '2.29.12'
-    implementation group: 'software.amazon.awssdk', name: 's3', version: '2.29.12'
-    implementation group: 'software.amazon.awssdk', name: 'regions', version: '2.29.12'
+    implementation group: 'software.amazon.awssdk', name: 'aws-core', version: "2.30.18"
+    implementation group: 'software.amazon.awssdk', name: 's3', version: "2.30.18"
+    implementation group: 'software.amazon.awssdk', name: 'regions', version: "2.30.18"
 
-    implementation group: 'software.amazon.awssdk', name: 'aws-xml-protocol', version: '2.29.12'
+    implementation group: 'software.amazon.awssdk', name: 'aws-xml-protocol', version: "2.30.18"
 
-    implementation group: 'software.amazon.awssdk', name: 'aws-query-protocol', version: '2.29.12'
+    implementation group: 'software.amazon.awssdk', name: 'aws-query-protocol', version: "2.30.18"
 
-    implementation group: 'software.amazon.awssdk', name: 'protocol-core', version: '2.29.12'
+    implementation group: 'software.amazon.awssdk', name: 'protocol-core', version: "2.30.18"
 
     zipArchive group: 'org.opensearch.plugin', name:'opensearch-job-scheduler', version: "${opensearch_build}"
     compileOnly "org.opensearch:opensearch-job-scheduler-spi:${opensearch_build}"
@@ -84,7 +84,10 @@ dependencies {
     implementation "org.apache.logging.log4j:log4j-slf4j-impl:2.19.0"
     testImplementation group: 'commons-io', name: 'commons-io', version: '2.15.1'
     implementation group: 'org.apache.commons', name: 'commons-text', version: '1.10.0'
-    implementation 'com.jayway.jsonpath:json-path:2.9.0'
+    implementation ('com.jayway.jsonpath:json-path:2.9.0') {
+        exclude group: 'net.minidev', module: 'json-smart'
+    }
+    implementation('net.minidev:json-smart:2.5.2')
 }
 
 publishing {