From a21a99da1817e703c7bbf73ea76ceca66a6a6428 Mon Sep 17 00:00:00 2001 From: Jay Modi Date: Wed, 3 Oct 2018 12:31:19 -0600 Subject: [PATCH] Security: upgrade unboundid ldapsdk to 4.0.8 (#34247) This commit upgrades the unboundid ldapsdk to version 4.0.8. The primary driver for upgrading is a fix that prevents this library from rewrapping Error instances that would normally bubble up to the UncaughtExceptionHandler and terminate the JVM. Other notable changes include some fixes related to connection handling in the library's connection pool implementation. Closes #33175 --- x-pack/plugin/core/build.gradle | 2 +- .../licenses/unboundid-ldapsdk-3.2.0.jar.sha1 | 1 - .../licenses/unboundid-ldapsdk-4.0.8.jar.sha1 | 1 + .../licenses/unboundid-ldapsdk-LICENSE.txt | 77 ++++++++++--------- .../elasticsearch/xpack/core/XPackPlugin.java | 1 + x-pack/plugin/security/build.gradle | 2 +- 6 files changed, 43 insertions(+), 41 deletions(-) delete mode 100644 x-pack/plugin/core/licenses/unboundid-ldapsdk-3.2.0.jar.sha1 create mode 100644 x-pack/plugin/core/licenses/unboundid-ldapsdk-4.0.8.jar.sha1 diff --git a/x-pack/plugin/core/build.gradle b/x-pack/plugin/core/build.gradle index a58500b880f..01e8179fb62 100644 --- a/x-pack/plugin/core/build.gradle +++ b/x-pack/plugin/core/build.gradle @@ -35,7 +35,7 @@ dependencies { compile "commons-codec:commons-codec:${versions.commonscodec}" // security deps - compile 'com.unboundid:unboundid-ldapsdk:3.2.0' + compile 'com.unboundid:unboundid-ldapsdk:4.0.8' compile project(path: ':modules:transport-netty4', configuration: 'runtime') compile(project(path: ':plugins:transport-nio', configuration: 'runtime')) { // TODO: core exclusion should not be necessary, since it is a transitive dep of all plugins diff --git a/x-pack/plugin/core/licenses/unboundid-ldapsdk-3.2.0.jar.sha1 b/x-pack/plugin/core/licenses/unboundid-ldapsdk-3.2.0.jar.sha1 deleted file mode 100644 index 23697f364e9..00000000000 --- a/x-pack/plugin/core/licenses/unboundid-ldapsdk-3.2.0.jar.sha1 +++ /dev/null @@ -1 +0,0 @@ -f76725e5a215ea468ecda06a8d66a809281e685f \ No newline at end of file diff --git a/x-pack/plugin/core/licenses/unboundid-ldapsdk-4.0.8.jar.sha1 b/x-pack/plugin/core/licenses/unboundid-ldapsdk-4.0.8.jar.sha1 new file mode 100644 index 00000000000..b235ed0cea8 --- /dev/null +++ b/x-pack/plugin/core/licenses/unboundid-ldapsdk-4.0.8.jar.sha1 @@ -0,0 +1 @@ +bf1a0d3790f8f7bd28f1172323c26fed2e3bbaa5 \ No newline at end of file diff --git a/x-pack/plugin/core/licenses/unboundid-ldapsdk-LICENSE.txt b/x-pack/plugin/core/licenses/unboundid-ldapsdk-LICENSE.txt index e57554e5692..5f5be0327d2 100644 --- a/x-pack/plugin/core/licenses/unboundid-ldapsdk-LICENSE.txt +++ b/x-pack/plugin/core/licenses/unboundid-ldapsdk-LICENSE.txt @@ -1,76 +1,77 @@ UnboundID LDAP SDK Free Use License -THIS IS AN AGREEMENT BETWEEN YOU ("YOU") AND UNBOUNDID CORP. ("UNBOUNDID") -REGARDING YOUR USE OF UNBOUNDID LDAP SDK FOR JAVA AND ANY ASSOCIATED -DOCUMENTATION, OBJECT CODE, COMPILED LIBRARIES, SOURCE CODE AND SOURCE FILES OR -OTHER MATERIALS MADE AVAILABLE BY UNBOUNDID (COLLECTIVELY REFERRED TO IN THIS -AGREEMENT AS THE ("SDK"). +THIS IS AN AGREEMENT BETWEEN YOU ("YOU") AND PING IDENTITY CORPORATION +("PING IDENTITY") REGARDING YOUR USE OF UNBOUNDID LDAP SDK FOR JAVA AND ANY +ASSOCIATED DOCUMENTATION, OBJECT CODE, COMPILED LIBRARIES, SOURCE CODE AND +SOURCE FILES OR OTHER MATERIALS MADE AVAILABLE BY PING IDENTITY (COLLECTIVELY +REFERRED TO IN THIS AGREEMENT AS THE ("SDK"). BY INSTALLING, ACCESSING OR OTHERWISE USING THE SDK, YOU ACCEPT THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, DO NOT INSTALL, ACCESS OR USE THE SDK. -USE OF THE SDK. Subject to your compliance with this Agreement, UnboundID -grants to You a non-exclusive, royalty-free license, under UnboundID's +USE OF THE SDK. Subject to your compliance with this Agreement, Ping Identity +grants to You a non-exclusive, royalty-free license, under Ping Identity's intellectual property rights in the SDK, to use, reproduce, modify and distribute this release of the SDK; provided that no license is granted herein under any patents that may be infringed by your modifications, derivative works or by other works in which the SDK may be incorporated (collectively, your "Applications"). You may reproduce and redistribute the SDK with your Applications provided that you (i) include this license file and an -unmodified copy of the unboundid-ldapsdk-se.jar file; and (ii) such +unmodified copy of the unboundid-ldapsdk.jar file; and (ii) such redistribution is subject to a license whose terms do not conflict with or contradict the terms of this Agreement. You may also reproduce and redistribute the SDK without your Applications provided that you redistribute the SDK complete and unmodified (i.e., with all "read me" files, copyright notices, and -other legal notices and terms that UnboundID has included in the SDK). +other legal notices and terms that Ping Identity has included in the SDK). -SCOPE OF LICENSES. This Agreement does not grant You the right to use any -UnboundID intellectual property which is not included as part of the SDK. The +SCOPE OF LICENSES. This Agreement does not grant You the right to use any Ping +Identity intellectual property which is not included as part of the SDK. The SDK is licensed, not sold. This Agreement only gives You some rights to use -the SDK. UnboundID reserves all other rights. Unless applicable law gives You -more rights despite this limitation, You may use the SDK only as expressly +the SDK. Ping Identity reserves all other rights. Unless applicable law gives +You more rights despite this limitation, You may use the SDK only as expressly permitted in this Agreement. -SUPPORT. UnboundID is not obligated to provide any technical or other support -("Support Services") for the SDK to You under this Agreement. However, if -UnboundID chooses to provide any Support Services to You, Your use of such -Support Services will be governed by then-current UnboundID support policies. +SUPPORT. Ping Identity is not obligated to provide any technical or other +support ("Support Services") for the SDK to You under this Agreement. However, +if Ping Identity chooses to provide any Support Services to You, Your use of +such Support Services will be governed by then-current Ping Identity support +policies. -TERMINATION. UnboundID reserves the right to discontinue offering the SDK and -to modify the SDK at any time in its sole discretion. Notwithstanding anything -contained in this Agreement to the contrary, UnboundID may also, in its sole -discretion, terminate or suspend access to the SDK to You or any end user at -any time. In addition, if you fail to comply with the terms of this Agreement, -then any rights granted herein will be automatically terminated if such failure -is not corrected within 30 days of the initial notification of such failure. -You acknowledge that termination and/or monetary damages may not be a -sufficient remedy if You breach this Agreement and that UnboundID will be -entitled, without waiving any other rights or remedies, to injunctive or +TERMINATION. Ping Identity reserves the right to discontinue offering the SDK +and to modify the SDK at any time in its sole discretion. Notwithstanding +anything contained in this Agreement to the contrary, Ping Identity may also, +in its sole discretion, terminate or suspend access to the SDK to You or any +end user at any time. In addition, if you fail to comply with the terms of +this Agreement, then any rights granted herein will be automatically terminated +if such failure is not corrected within 30 days of the initial notification of +such failure. You acknowledge that termination and/or monetary damages may not +be a sufficient remedy if You breach this Agreement and that Ping Identity will +be entitled, without waiving any other rights or remedies, to injunctive or equitable relief as may be deemed proper by a court of competent jurisdiction -in the event of a breach. UnboundID may also terminate this Agreement if the -SDK becomes, or in UnboundID?s reasonable opinion is likely to become, the -subject of a claim of intellectual property infringement or trade secret +in the event of a breach. Ping Identity may also terminate this Agreement if +the SDK becomes, or in Ping Identity's reasonable opinion is likely to become, +the subject of a claim of intellectual property infringement or trade secret misappropriation. All rights and licenses granted herein will simultaneously and automatically terminate upon termination of this Agreement for any reason. -DISCLAIMER OF WARRANTY. THE SDK IS PROVIDED "AS IS" AND UNBOUNDID DOES NOT +DISCLAIMER OF WARRANTY. THE SDK IS PROVIDED "AS IS" AND PING IDENTITY DOES NOT WARRANT THAT THE SDK WILL BE ERROR-FREE, VIRUS-FREE, WILL PERFORM IN AN UNINTERRUPTED, SECURE OR TIMELY MANNER, OR WILL INTEROPERATE WITH OTHER HARDWARE, SOFTWARE, SYSTEMS OR DATA. TO THE MAXIMUM EXTENT ALLOWED BY LAW, ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE (EVEN IF UNBOUNDID HAD BEEN -INFORMED OF SUCH PURPOSE), OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS ARE HEREBY -DISCLAIMED. +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE (EVEN IF PING IDENTITY HAD +BEEN INFORMED OF SUCH PURPOSE), OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS ARE +HEREBY DISCLAIMED. -LIMITATION OF LIABILITY. IN NO EVENT WILL UNBOUNDID OR ITS SUPPLIERS BE LIABLE -FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, LOST PROFITS, +LIMITATION OF LIABILITY. IN NO EVENT WILL PING IDENTITY OR ITS SUPPLIERS BE +LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, LOST PROFITS, REVENUE, DATA OR DATA USE, BUSINESS INTERRUPTION, COST OF COVER, DIRECT, INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND) ARISING OUT OF THE USE OF OR INABILITY TO USE THE SDK OR IN ANY WAY RELATED TO -THIS AGREEMENT, EVEN IF UNBOUNDID HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH -DAMAGES. +THIS AGREEMENT, EVEN IF PING IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. ADDITIONAL RIGHTS. Certain states do not allow the exclusion of implied warranties or limitation of liability for certain kinds of damages, so the diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackPlugin.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackPlugin.java index c2be7f828b1..80c4d5cad9f 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackPlugin.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackPlugin.java @@ -102,6 +102,7 @@ public class XPackPlugin extends XPackClientPlugin implements ScriptPlugin, Exte public Void run() { try { Class.forName("com.unboundid.util.Debug"); + Class.forName("com.unboundid.ldap.sdk.LDAPConnectionOptions"); } catch (ClassNotFoundException e) { throw new RuntimeException(e); } diff --git a/x-pack/plugin/security/build.gradle b/x-pack/plugin/security/build.gradle index 74241be4a91..d935a31b1a5 100644 --- a/x-pack/plugin/security/build.gradle +++ b/x-pack/plugin/security/build.gradle @@ -23,7 +23,7 @@ dependencies { testCompile project(path: xpackModule('core'), configuration: 'testArtifacts') - compile 'com.unboundid:unboundid-ldapsdk:3.2.0' + compile 'com.unboundid:unboundid-ldapsdk:4.0.8' compileOnly 'org.bouncycastle:bcprov-jdk15on:1.59' compileOnly 'org.bouncycastle:bcpkix-jdk15on:1.59'