Skip to content

Remediate CVE-2026-54399/54428 in httpcore5-h2; suppress 4.x false positive#1441

Merged
labkey-willm merged 2 commits into
developfrom
fb_owasp_cves_20260709
Jul 10, 2026
Merged

Remediate CVE-2026-54399/54428 in httpcore5-h2; suppress 4.x false positive#1441
labkey-willm merged 2 commits into
developfrom
fb_owasp_cves_20260709

Conversation

@labkey-willm

@labkey-willm labkey-willm commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Rationale

OWASP dependency-check flagged CVE-2026-54399 (HTTP/1.1 parser DoS) and CVE-2026-54428 (HTTP/2 HPACK decoder DoS), both scoped to Apache HttpComponents Core "up to and including 5.4.2". Two things were needed: the classic httpcore 4.x artifact is not affected (4.x has no HTTP/2 module and no fixed 4.4.x release exists for these 5.x-scoped CVEs), so it is suppressed as a false positive; and the real exposure is httpcore5-h2, which was resolving transitively to 5.3.6 because the resolutionStrategy force block pinned httpcore5 and httpclient5 but not httpcore5-h2.

Related Pull Requests

Changes

  • Force org.apache.httpcomponents.core5:httpcore5-h2 to httpcore5Version (5.4.3), upgrading the transitive 5.3.6 past the vulnerable 5.4.2 ceiling and clearing both CVEs. Verified via :server:modules:platform:api:dependencies (5.3.6 -> 5.4.3).
  • Suppress false positive CVE-2026-54428 on the classic httpcore 4.x artifact.

Note on shaded copies

Shaded copies of these http5 libraries originate from labkey-api-jdbc (:remoteapi:labkey-api-jdbc, only wired into the build under the all settings/module set) and are being addressed separately. They do not appear in a -PmoduleSet=community scan because that project is out of scope there.

@labkey-willm labkey-willm self-assigned this Jul 9, 2026
The resolutionStrategy force block pinned httpcore5 (5.4.3) and httpclient5 (5.5.2) but not httpcore5-h2, which resolved transitively to 5.3.6 and remained flagged by OWASP dependency-check for CVE-2026-54399 (HTTP/1.1 parser DoS) and CVE-2026-54428 (HTTP/2 HPACK decoder DoS). Both are scoped to Apache HttpComponents Core up to and including 5.4.2; aligning httpcore5-h2 to httpcore5Version (5.4.3) resolves them. Shaded copies originating from labkey-api-jdbc are addressed separately.
@labkey-willm labkey-willm changed the title suppress false positive CVE-2026-54428 Remediate CVE-2026-54399/54428 in httpcore5-h2; suppress 4.x false positive Jul 9, 2026
@labkey-willm labkey-willm requested a review from labkey-adam July 9, 2026 21:44
@labkey-willm labkey-willm merged commit 0cd2879 into develop Jul 10, 2026
7 of 8 checks passed
@labkey-willm labkey-willm deleted the fb_owasp_cves_20260709 branch July 10, 2026 15:39
labkey-willm added a commit that referenced this pull request Jul 10, 2026
….7.12 (#1442)

## Rationale
Ports the OWASP dependency-check CVE remediations from develop (PR
#1441, branch fb_owasp_cves_20260709) onto the 26.3 release branch. The
26.3 scan flagged CVE-2026-54399 / CVE-2026-54428 (httpcore5-h2
resolving transitively to 5.3.6) and additionally CVE-2026-54291
(postgresql JDBC driver pinned at 42.7.11 — a channel-binding downgrade
fixed in 42.7.12; develop was already on 42.7.12).

## Related Pull Requests
- #1441

## Changes
- Force `org.apache.httpcomponents.core5:httpcore5-h2` to
`httpcore5Version` (5.4.3), upgrading the transitive 5.3.6 past the
vulnerable 5.4.2 ceiling (CVE-2026-54399, CVE-2026-54428).
- Bump `postgresqlDriverVersion` 42.7.11 -> 42.7.12 (CVE-2026-54291).
- Suppress the CVE-2026-54428 false positive on the classic httpcore 4.x
artifact.

## Note on shaded copies
Shaded copies of these http5 libraries originate from labkey-api-jdbc
and are addressed separately.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants