From dfeb6fd474f3b356d88b8c449d4babc8e9829b19 Mon Sep 17 00:00:00 2001
From: sophia chen <sophia.chen@thetradedesk.com>
Date: Fri, 8 May 2026 14:31:08 +1000
Subject: [PATCH 1/2] chore(security): upgrade gnutls + netty for CVE batch
 (UID2-7030, UID2-7031..7035)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Dockerfile: install gnutls 3.8.13-r0 to fix CVE-2026-3833 (also clears
  the previously suppressed CVE-2026-1584, CVE-2026-33845, CVE-2026-33846).
* pom.xml: bump netty 4.1.132.Final → 4.1.133.Final to fix
  CVE-2026-42583 / 42579 / 42584 / 42587.
* .trivyignore: remove the three obsolete gnutls suppressions and add
  CVE-2026-42577 (server-side epoll DoS, no 4.1.x patch backported by
  upstream — service is behind authenticated LB; CVSS impact is
  Availability only).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .trivyignore | 19 +++++++++----------
 Dockerfile   |  2 +-
 pom.xml      |  2 +-
 3 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/.trivyignore b/.trivyignore
index ba595906..d0ba7fa4 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -10,16 +10,15 @@ CVE-2022-37767
 # See: UID2-5493
 CVE-2025-1686
 
-# gnutls DoS vulnerability via crafted ClientHello - not impactful as gnutls is not used by our Java service
-# See: UID2-6655
-CVE-2026-1584 exp:2026-08-27
-# gnutls DoS vulnerability via DTLS zero-length record - not impactful as gnutls is not used by our Java service
-# See: UID2-7008
-CVE-2026-33845 exp:2026-11-04
-# gnutls DoS vulnerability via heap buffer overflow in DTLS handshake - not impactful as gnutls is not used by our Java service
-# See: UID2-7012
-CVE-2026-33846 exp:2026-11-05
-
 # jackson-core async parser DoS - not exploitable, services only use synchronous ObjectMapper API
 # See: UID2-6670
 GHSA-72hv-8253-57qq exp:2026-09-01
+
+# CVE-2026-42577 — netty-transport-native-epoll DoS via RST on half-closed TCP connection.
+# Advisory: https://github.com/netty/netty/security/advisories/GHSA-rwm7-x88c-3g2p
+# Server-side bug; netty maintainers backported the fix only to 4.2.13.Final and we run on
+# vert.x 4 / netty 4.1.x. This service sits behind authenticated load balancers (mTLS / API
+# gateway) so anonymous external attackers cannot reach the netty epoll socket directly;
+# LB-level connection limits and idle timeouts further cap the blast radius. CVSS impact is
+# Availability only (C:N/I:N/A:H). Tracking via UID2-7035; revisit on vert.x 5 migration.
+CVE-2026-42577 exp:2026-06-08
diff --git a/Dockerfile b/Dockerfile
index 287bba32..e16b20a0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -17,7 +17,7 @@ COPY ./conf/default-config.json /app/conf/
 COPY ./conf/*.xml /app/conf/
 COPY ./webroot/ /app/webroot/
 
-RUN apk add --no-cache --upgrade libpng libcrypto3 libssl3 musl musl-utils && adduser -D uid2-admin && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads
+RUN apk add --no-cache --upgrade libpng libcrypto3 libssl3 musl musl-utils gnutls && adduser -D uid2-admin && mkdir -p /app && chmod 705 -R /app && mkdir -p /app/file-uploads && chmod 777 -R /app/file-uploads
 USER uid2-admin
 
 CMD java \
diff --git a/pom.xml b/pom.xml
index e50e3028..152f2c43 100644
--- a/pom.xml
+++ b/pom.xml
@@ -18,7 +18,7 @@
         <junit-jupiter.version>5.11.2</junit-jupiter.version>
         <uid2-shared.version>11.4.16</uid2-shared.version>
         <okta-jwt.version>0.5.10</okta-jwt.version>
-        <netty.version>4.1.132.Final</netty.version>
+        <netty.version>4.1.133.Final</netty.version>
         <image.version>${project.version}</image.version>
     </properties>
 

From c619011e8253e8fbc4e71faf0ee0db005d698111 Mon Sep 17 00:00:00 2001
From: sophia chen <sophia.chen@thetradedesk.com>
Date: Fri, 8 May 2026 14:52:34 +1000
Subject: [PATCH 2/2] =?UTF-8?q?chore(security):=20upgrade=20bouncycastle?=
 =?UTF-8?q?=201.78.1=20=E2=86=92=201.84=20(UID2-7036,=20CVE-2026-5598)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Trivy surfaced CVE-2026-5598 (HIGH) in bcprov-jdk18on 1.78.1 — private key
leakage via non-constant-time comparisons. Pulled in transitively via
okta-jwt-verifier → sslcontext-kickstart-for-pem. Added explicit 1.84 pin
in dependencyManagement to override the transitive version.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 pom.xml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/pom.xml b/pom.xml
index 152f2c43..740475e7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -46,6 +46,23 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+            <!-- Force bouncycastle to 1.84 to fix CVE-2026-5598 (private key leakage via non-constant-time comparisons). -->
+            <!-- Pulled in transitively via okta-jwt-verifier → sslcontext-kickstart-for-pem. -->
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcprov-jdk18on</artifactId>
+                <version>1.84</version>
+            </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcpkix-jdk18on</artifactId>
+                <version>1.84</version>
+            </dependency>
+            <dependency>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcutil-jdk18on</artifactId>
+                <version>1.84</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>