[fix][sec] Added exclusions for vulnerable transitive dependencies (Avro, Tomcat-embed-core, Mina-core, Derby) to remediate CVEs

[guptas6est]

Motivation

This PR addresses multiple CVEs detected in transitive dependencies used in the Pulsar IO modules flume and hbase.
The affected libraries are Apache Tomcat Embed Core, Apache MINA, Apache Derby, and Apache Avro, which were introducing vulnerabilities through indirect dependencies.

Vulnerabilities remediated include:

Apache Tomcat Embed Core

• CVE-2020-1938 – AJP File Read/Inclusion Vulnerability
• CVE-2019-12418 – Local Privilege Escalation
• CVE-2019-17563 – Session Fixation in FORM Authentication
• CVE-2021-25122 – Request Mix-up with h2c
• CVE-2021-25329 – Incomplete fix for CVE-2020-9484 (RCE via Session Persistence)
• CVE-2022-42252 – Request Smuggling
• CVE-2023-46589 – HTTP Request Smuggling via Malformed Trailer Headers
• CVE-2024-34750 – Improper Handling of Exceptional Conditions
• CVE-2024-50379 – RCE due to TOCTOU Issue in JSP Compilation
• CVE-2025-24813 – Potential RCE / Information Disclosure via Partial PUT Handling
• CVE-2025-31650 – DoS via Malformed HTTP/2 PRIORITY_UPDATE Frame
• CVE-2025-31651 – Rewrite Valve Rule Bypass
• CVE-2025-46701 – Security Constraint Bypass for CGI Scripts
• CVE-2025-48988 – DoS in Multipart Upload Handling
• CVE-2025-49125 – Security Constraint Bypass for Pre/Post Resources
• CVE-2024-24549 – HTTP/2 Header Handling DoS
• CVE-2023-41080 – Open Redirect Vulnerability in FORM Authentication
• CVE-2023-42795 – Information Leak via Recycled Object Handling
• CVE-2021-24122 – Information Disclosure on NTFS File Systems
• CVE-2024-21733 – Request Body Leakage in Default Error Page
• CVE-2023-44487 – HTTP/2 DDoS Attack (Rapid Reset)
• CVE-2023-45648 – HTTP Trailer Header Parsing Request Smuggling
• CVE-2020-1935 – Mishandling of Transfer-Encoding header → HTTP request smuggling

Apache MINA

• CVE-2024-52046 – Unbounded Deserialization Remote Code Execution

Apache Derby

• CVE-2022-46337 – LDAP Authentication Bypass

Apache Avro

• CVE-2024-47561 – Schema Parsing May Trigger Remote Code Execution (RCE)
• CVE-2023-39410 – Memory Consumption Issue when Deserializing Untrusted Data

Modifications

Added exclusions for vulnerable transitive dependencies in:

• pulsar-io/flume/pom.xml → Excluded tomcat-embed-core, mina-core, and derby
• pulsar-io/hbase/pom.xml → Excluded avro

Verifying this change

• Make sure that the change passes the CI checks.

(Please pick either of the following options)

This change is a trivial rework / code cleanup without any test coverage.

(or)

This change is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(example:)

• Added integration tests for end-to-end deployment with large payloads (10MB)
• Extended integration test for recovery after broker failure

Does this pull request potentially affect one of the following parts:

If the box was checked, please highlight the changes

• Dependencies (add or upgrade a dependency)
• The public API
• The schema
• The default values of configurations
• The threading model
• The binary protocol
• The REST endpoints
• The admin CLI options
• The metrics
• Anything that affects deployment

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

Matching PR in forked repository

PR in forked repository:

[lhotari]

Please run Pulsar CI in your fork as the first step to ensure that tests pass with these changes. You can find instructions for doing this in the "Personal CI" documentation.

[guptas6est]

Hi @lhotari, I’ve already run the Personal CI workflows in my fork, and all checks have passed successfully with a few skips.
Here’s a screenshot for your reference:

[lhotari]

Hi @lhotari, I’ve already run the Personal CI workflows in my fork, and all checks have passed successfully with a few skips.
Here’s a screenshot for your reference:

In the PR description template, the "PR in forked repository:" is for adding the link to your PR so that the reviewer can find the workflow run.

[lhotari]

Removing mina-core would most likely break the Flume connector. A better approach might be to remove the connector completely since we don't have integration tests to validate that it would really work when using a real network connection.
The current Flume connector tests use org.apache.flume.channel.MemoryChannel and there are not end-to-end integration tests that would use a real Flume instance running in a container.

[guptas6est]

Instead of excluding mina-core, would it be acceptable to override mina-core to the latest fixed version (2.2.4) in dependencyManagement?
This version includes the fix for CVE-2024-52046, so it should allow us to remediate the vulnerability without breaking the Flume connector.
Please let me know if this approach works for you. Thanks!

[lhotari]

If the Flume connector works with a newer version, it's fine. However we don't really know if it works since tests are missing.

[lhotari]

would this problem be resolved by upgrading hbase.version to 2.6.3-hadoop3 and hadoop3.version to 3.4.1 ?

[guptas6est]

Upgrading the hbase and hadoop3 versions to the latest didn’t eliminate the Avro CVE in Pulsar, but I can update these versions along with the avro exclusion from hbase client.

[lhotari]

That would work. However this current PR is problematic since it combines changes for 2 separate connectors in a single PR. It would be better to close this current PR and open a separate PR to upgrade hadoop3.version alone (since it touches also tiered storage component), a separate PR for hbase.version + the Avro exclusion and a separate PR to address the Flume connector. The reason to keep things separately is that it's easier to make decisions whether to include a change in maintenance versions or not.

[guptas6est]

@lhotari Thank you for reviewing my PR. I’ll review the suggested changes and push the updates shortly. Apologies for not including the PR link earlier.

[lhotari]

Please close this PR and create separate PRs as mentioned in #24946 (comment)