From 410be98797fc71c6a28f1694e11423b77ea308c9 Mon Sep 17 00:00:00 2001 From: bvolpato Date: Tue, 24 Mar 2026 18:22:08 -0400 Subject: [PATCH 1/2] [Security] Bump PostgreSQL JDBC Driver from 42.2.16 to 42.7.10 Upgrades the PostgreSQL JDBC Driver to address multiple CVEs: - CVE-2024-1597 (CVSS 9.8): SQL injection via preferQueryMode=simple - CVE-2022-31197: SQL injection in ResultSet.refreshRow - CVE-2022-21724: Arbitrary code execution via JDBC URL --- CHANGES.md | 1 + .../main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index 064b1485449e..d8c9be72fda9 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -88,6 +88,7 @@ ## Security Fixes * Fixed [CVE-2023-46604](https://www.cve.org/CVERecord?id=CVE-2023-46604) (CVSS 10.0) and [CVE-2022-41678](https://www.cve.org/CVERecord?id=CVE-2022-41678) by upgrading ActiveMQ from 5.14.5 to 5.19.2 (Java) ([#37943](https://github.com/apache/beam/issues/37943)). +* Fixed [CVE-2024-1597](https://www.cve.org/CVERecord?id=CVE-2024-1597), [CVE-2022-31197](https://www.cve.org/CVERecord?id=CVE-2022-31197), and [CVE-2022-21724](https://www.cve.org/CVERecord?id=CVE-2022-21724) by upgrading PostgreSQL JDBC Driver from 42.2.16 to 42.7.10 (Java). ## Known Issues diff --git a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy index e24ff6004940..44e44fc70279 100644 --- a/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy +++ b/buildSrc/src/main/groovy/org/apache/beam/gradle/BeamModulePlugin.groovy @@ -634,7 +634,7 @@ class BeamModulePlugin implements Plugin { def netty_version = "4.1.124.Final" // [bomupgrader] determined by: io.opentelemetry:opentelemetry-sdk, consistent with: google_cloud_platform_libraries_bom def opentelemetry_version = "1.51.0" - def postgres_version = "42.2.16" + def postgres_version = "42.7.10" // [bomupgrader] determined by: com.google.protobuf:protobuf-java, consistent with: google_cloud_platform_libraries_bom def protobuf_version = "4.33.2" // TODO(https://github.com/apache/beam/issues/37637): Remove this once the Bom has been updated to at least reach this version From 124225932a906763ab42916bf1645105c8d557b0 Mon Sep 17 00:00:00 2001 From: Bruno Volpato Date: Tue, 24 Mar 2026 18:54:13 -0400 Subject: [PATCH 2/2] Add issue link to CHANGES.md entry (fixes #37942) --- CHANGES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES.md b/CHANGES.md index d8c9be72fda9..2e3e9a34614f 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -88,7 +88,7 @@ ## Security Fixes * Fixed [CVE-2023-46604](https://www.cve.org/CVERecord?id=CVE-2023-46604) (CVSS 10.0) and [CVE-2022-41678](https://www.cve.org/CVERecord?id=CVE-2022-41678) by upgrading ActiveMQ from 5.14.5 to 5.19.2 (Java) ([#37943](https://github.com/apache/beam/issues/37943)). -* Fixed [CVE-2024-1597](https://www.cve.org/CVERecord?id=CVE-2024-1597), [CVE-2022-31197](https://www.cve.org/CVERecord?id=CVE-2022-31197), and [CVE-2022-21724](https://www.cve.org/CVERecord?id=CVE-2022-21724) by upgrading PostgreSQL JDBC Driver from 42.2.16 to 42.7.10 (Java). +* Fixed [CVE-2024-1597](https://www.cve.org/CVERecord?id=CVE-2024-1597), [CVE-2022-31197](https://www.cve.org/CVERecord?id=CVE-2022-31197), and [CVE-2022-21724](https://www.cve.org/CVERecord?id=CVE-2022-21724) by upgrading PostgreSQL JDBC Driver from 42.2.16 to 42.7.10 (Java) ([#37942](https://github.com/apache/beam/issues/37942)). ## Known Issues