[RORDEV-1528] CVE-2024-29857 (#1137)

coutoPL · web-flow · commit fcb6cd80ec79 · 2025-07-10T08:41:41.000+02:00
diff --git a/core/build.gradle b/core/build.gradle
@@ -105,14 +105,8 @@ dependencies {
     api group: 'org.typelevel',                 name: 'squants_3',                          version: '1.8.3'
     api group: 'com.unboundid',                 name: 'unboundid-ldapsdk',                  version: '6.0.11'
     api group: 'com.lihaoyi',                   name: 'upickle_3',                          version: '4.0.2'
-    // https://www.bouncycastle.org/latest_releases.html#1.0.2.4-NONCERT
-    api group: 'org.bouncycastle',          name: 'bc-noncert',                             version: '1.0.2.4'
-    api(group: 'org.bouncycastle',          name: 'bctls-fips',                             version: '1.0.19') {
-        exclude group: 'org.bouncycastle', module: 'bc-fips'
-    }
-    api(group: 'org.bouncycastle',          name: 'bcpkix-fips',                            version: '1.0.7') {
-        exclude group: 'org.bouncycastle', module: 'bc-fips'
-    }
+    api group: 'org.bouncycastle',              name: 'bctls-fips',                         version: '2.1.20'
+    api group: 'org.bouncycastle',              name: 'bcpkix-fips',                        version: '2.1.9'
 
     testImplementation  project(':tests-utils')
     testImplementation  group: 'org.apache.logging.log4j',   name: 'log4j-core',                 version: '2.24.2'
diff --git a/es67x/plugin-metadata/plugin-security.policy b/es67x/plugin-metadata/plugin-security.policy
@@ -12,10 +12,7 @@ grant {
   permission java.security.SecurityPermission "insertProvider";
   permission java.security.SecurityPermission "insertProvider.BCFIPS";
   permission java.security.SecurityPermission "insertProvider.BCJSSE";
-  permission java.security.SecurityPermission "getProperty.keystore.type.compat";
-  permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+  permission java.security.SecurityPermission "getProperty.*";
   permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
   permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
   permission java.security.SecurityPermission "removeProvider.SunJSSE";
diff --git a/es70x/plugin-metadata/plugin-security.policy b/es70x/plugin-metadata/plugin-security.policy
@@ -12,10 +12,7 @@ grant {
   permission java.security.SecurityPermission "insertProvider";
   permission java.security.SecurityPermission "insertProvider.BCFIPS";
   permission java.security.SecurityPermission "insertProvider.BCJSSE";
-  permission java.security.SecurityPermission "getProperty.keystore.type.compat";
-  permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+  permission java.security.SecurityPermission "getProperty.*";
   permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
   permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
   permission java.security.SecurityPermission "removeProvider.SunJSSE";
diff --git a/es710x/plugin-metadata/plugin-security.policy b/es710x/plugin-metadata/plugin-security.policy
@@ -8,6 +8,7 @@ grant {
   permission java.lang.RuntimePermission "setContextClassLoader";
   permission java.net.SocketPermission "*", "accept, resolve, connect";
   permission java.security.SecurityPermission "insertProvider";
+  permission java.security.SecurityPermission "getProperty.*";
   permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
   permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
 };
diff --git a/es72x/plugin-metadata/plugin-security.policy b/es72x/plugin-metadata/plugin-security.policy
@@ -12,10 +12,7 @@ grant {
   permission java.security.SecurityPermission "insertProvider";
   permission java.security.SecurityPermission "insertProvider.BCFIPS";
   permission java.security.SecurityPermission "insertProvider.BCJSSE";
-  permission java.security.SecurityPermission "getProperty.keystore.type.compat";
-  permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+  permission java.security.SecurityPermission "getProperty.*";
   permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
   permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
   permission java.security.SecurityPermission "removeProvider.SunJSSE";
diff --git a/es73x/plugin-metadata/plugin-security.policy b/es73x/plugin-metadata/plugin-security.policy
@@ -12,10 +12,7 @@ grant {
   permission java.security.SecurityPermission "insertProvider";
   permission java.security.SecurityPermission "insertProvider.BCFIPS";
   permission java.security.SecurityPermission "insertProvider.BCJSSE";
-  permission java.security.SecurityPermission "getProperty.keystore.type.compat";
-  permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+  permission java.security.SecurityPermission "getProperty.*";
   permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
   permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
   permission java.security.SecurityPermission "removeProvider.SunJSSE";
diff --git a/es74x/plugin-metadata/plugin-security.policy b/es74x/plugin-metadata/plugin-security.policy
@@ -12,10 +12,7 @@ grant {
   permission java.security.SecurityPermission "insertProvider";
   permission java.security.SecurityPermission "insertProvider.BCFIPS";
   permission java.security.SecurityPermission "insertProvider.BCJSSE";
-  permission java.security.SecurityPermission "getProperty.keystore.type.compat";
-  permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+  permission java.security.SecurityPermission "getProperty.*";
   permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
   permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
   permission java.security.SecurityPermission "removeProvider.SunJSSE";
diff --git a/es77x/plugin-metadata/plugin-security.policy b/es77x/plugin-metadata/plugin-security.policy
@@ -12,10 +12,7 @@ grant {
   permission java.security.SecurityPermission "insertProvider";
   permission java.security.SecurityPermission "insertProvider.BCFIPS";
   permission java.security.SecurityPermission "insertProvider.BCJSSE";
-  permission java.security.SecurityPermission "getProperty.keystore.type.compat";
-  permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+  permission java.security.SecurityPermission "getProperty.*";
   permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
   permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
   permission java.security.SecurityPermission "removeProvider.SunJSSE";
diff --git a/es78x/plugin-metadata/plugin-security.policy b/es78x/plugin-metadata/plugin-security.policy
@@ -12,10 +12,7 @@ grant {
   permission java.security.SecurityPermission "insertProvider";
   permission java.security.SecurityPermission "insertProvider.BCFIPS";
   permission java.security.SecurityPermission "insertProvider.BCJSSE";
-  permission java.security.SecurityPermission "getProperty.keystore.type.compat";
-  permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+  permission java.security.SecurityPermission "getProperty.*";
   permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
   permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
   permission java.security.SecurityPermission "removeProvider.SunJSSE";
diff --git a/es79x/plugin-metadata/plugin-security.policy b/es79x/plugin-metadata/plugin-security.policy
@@ -12,10 +12,7 @@ grant {
   permission java.security.SecurityPermission "insertProvider";
   permission java.security.SecurityPermission "insertProvider.BCFIPS";
   permission java.security.SecurityPermission "insertProvider.BCJSSE";
-  permission java.security.SecurityPermission "getProperty.keystore.type.compat";
-  permission java.security.SecurityPermission "getProperty.jdk.certpath.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.disabledAlgorithms";
-  permission java.security.SecurityPermission "getProperty.jdk.tls.server.defaultDHEParameters";
+  permission java.security.SecurityPermission "getProperty.*";
   permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
   permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
   permission java.security.SecurityPermission "removeProvider.SunJSSE";
diff --git a/es816x/plugin-metadata/plugin-security.policy b/es816x/plugin-metadata/plugin-security.policy
@@ -10,5 +10,6 @@ grant {
   permission java.security.SecurityPermission "insertProvider";
   permission java.security.SecurityPermission "putProviderProperty.BCFIPS";
   permission java.security.SecurityPermission "putProviderProperty.BCJSSE";
+  permission java.security.SecurityPermission "getProperty.org.bouncycastle.disabledAlgorithms";
   permission java.util.PropertyPermission "*", "read,write";
 };
diff --git a/gradle.properties b/gradle.properties
@@ -1,5 +1,5 @@
 publishedPluginVersion=1.64.2
-pluginVersion=1.65.0-pre9
+pluginVersion=1.65.0-pre11
 pluginName=readonlyrest
 
 org.gradle.jvmargs=-Xmx6144m
diff --git a/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es711xPatch.scala b/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es711xPatch.scala
@@ -16,20 +16,31 @@
  */
 package tech.beshu.ror.tools.core.patches
 
+import cats.data.NonEmptyList
 import just.semver.SemVer
 import tech.beshu.ror.tools.core.patches.base.SimpleEsPatch
 import tech.beshu.ror.tools.core.patches.internal.RorPluginDirectory
 import tech.beshu.ror.tools.core.patches.internal.filePatchers.*
 import tech.beshu.ror.tools.core.patches.internal.modifiers.bytecodeJars.*
+import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddAdditionalPermissions
+import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddAdditionalPermissions.getPropertySecurityPermission
 
 import scala.language.postfixOps
 
 private[patches] class Es711xPatch(rorPluginDirectory: RorPluginDirectory, esVersion: SemVer)
   extends SimpleEsPatch(rorPluginDirectory, esVersion,
     new ElasticsearchJarPatchCreator(
+      new ModifyBootstrapPolicyUtilClass(esVersion, NonEmptyList.of(
+        getPropertySecurityPermission
+      )),
       new RepositoriesServiceAvailableForClusterServiceForAnyTypeOfNode(esVersion),
       new SnapshotsServiceAvailableForClusterServiceForAnyTypeOfNode(esVersion)
     ),
+    new RorSecurityPolicyPatchCreator(
+      AddAdditionalPermissions(NonEmptyList.of(
+        getPropertySecurityPermission
+      )),
+    ),
     new XPackCoreJarPatchCreator(
       AlwaysGrantApplicationPermission,
       GetAuthenticationFromHeaderWhenMissingInTransient
diff --git a/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es717xPatch.scala b/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es717xPatch.scala
@@ -16,20 +16,31 @@
  */
 package tech.beshu.ror.tools.core.patches
 
+import cats.data.NonEmptyList
 import just.semver.SemVer
 import tech.beshu.ror.tools.core.patches.base.SimpleEsPatch
 import tech.beshu.ror.tools.core.patches.internal.RorPluginDirectory
-import tech.beshu.ror.tools.core.patches.internal.filePatchers.{ElasticsearchJarPatchCreator, XPackCoreJarPatchCreator, XPackSecurityJarPatchCreator}
+import tech.beshu.ror.tools.core.patches.internal.filePatchers.{ElasticsearchJarPatchCreator, RorSecurityPolicyPatchCreator, XPackCoreJarPatchCreator, XPackSecurityJarPatchCreator}
 import tech.beshu.ror.tools.core.patches.internal.modifiers.bytecodeJars.*
+import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddAdditionalPermissions
+import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddAdditionalPermissions.getPropertySecurityPermission
 
 import scala.language.postfixOps
 
 private[patches] class Es717xPatch(rorPluginDirectory: RorPluginDirectory, esVersion: SemVer)
   extends SimpleEsPatch(rorPluginDirectory, esVersion,
     new ElasticsearchJarPatchCreator(
+      new ModifyBootstrapPolicyUtilClass(esVersion, NonEmptyList.of(
+        getPropertySecurityPermission
+      )),
       new RepositoriesServiceAvailableForClusterServiceForAnyTypeOfNode(esVersion),
       new SecurityManagerShouldAllowReadingEsConfigFile(esVersion)
     ),
+    new RorSecurityPolicyPatchCreator(
+      AddAdditionalPermissions(NonEmptyList.of(
+        getPropertySecurityPermission
+      )),
+    ),
     new XPackCoreJarPatchCreator(
       AlwaysGrantApplicationPermission
     ),
diff --git a/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es80xPatch.scala b/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es80xPatch.scala
@@ -16,23 +16,29 @@
  */
 package tech.beshu.ror.tools.core.patches
 
+import cats.data.NonEmptyList
 import just.semver.SemVer
 import tech.beshu.ror.tools.core.patches.base.TransportNetty4AwareEsPatch
 import tech.beshu.ror.tools.core.patches.internal.RorPluginDirectory
 import tech.beshu.ror.tools.core.patches.internal.filePatchers.*
 import tech.beshu.ror.tools.core.patches.internal.modifiers.bytecodeJars.*
-import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddCreateClassLoaderPermission
+import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddAdditionalPermissions
+import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddAdditionalPermissions.*
 
 import scala.language.postfixOps
 
 private[patches] class Es80xPatch(rorPluginDirectory: RorPluginDirectory, esVersion: SemVer)
   extends TransportNetty4AwareEsPatch(rorPluginDirectory, esVersion,
     new ElasticsearchJarPatchCreator(
-      ModifyBootstrapPolicyUtilClass,
+      new ModifyBootstrapPolicyUtilClass(esVersion, NonEmptyList.of(
+        createClassLoaderRuntimePermission, getPropertySecurityPermission
+      )),
       new RepositoriesServiceAvailableForClusterServiceForAnyTypeOfNode(esVersion)
     ),
     new RorSecurityPolicyPatchCreator(
-      AddCreateClassLoaderPermission
+      AddAdditionalPermissions(NonEmptyList.of(
+        createClassLoaderRuntimePermission, getPropertySecurityPermission
+      )),
     ),
     new XPackCoreJarPatchCreator(
       AlwaysGrantApplicationPermission
diff --git a/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es813xPatch.scala b/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es813xPatch.scala
@@ -16,24 +16,30 @@
  */
 package tech.beshu.ror.tools.core.patches
 
+import cats.data.NonEmptyList
 import just.semver.SemVer
 import tech.beshu.ror.tools.core.patches.base.TransportNetty4AwareEsPatch
 import tech.beshu.ror.tools.core.patches.internal.RorPluginDirectory
 import tech.beshu.ror.tools.core.patches.internal.filePatchers.*
 import tech.beshu.ror.tools.core.patches.internal.modifiers.bytecodeJars.*
-import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddCreateClassLoaderPermission
+import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddAdditionalPermissions
+import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddAdditionalPermissions.*
 
 import scala.language.postfixOps
 
 private[patches] class Es813xPatch(rorPluginDirectory: RorPluginDirectory, esVersion: SemVer)
   extends TransportNetty4AwareEsPatch(rorPluginDirectory, esVersion,
     new ElasticsearchJarPatchCreator(
       OpenModule,
-      ModifyBootstrapPolicyUtilClass,
+      new ModifyBootstrapPolicyUtilClass(esVersion, NonEmptyList.of(
+        createClassLoaderRuntimePermission, getPropertySecurityPermission
+      )),
       new RepositoriesServiceAvailableForClusterServiceForAnyTypeOfNode(esVersion)
     ),
     new RorSecurityPolicyPatchCreator(
-      AddCreateClassLoaderPermission
+      AddAdditionalPermissions(NonEmptyList.of(
+        createClassLoaderRuntimePermission, getPropertySecurityPermission
+      )),
     ),
     new XPackCoreJarPatchCreator(
       OpenModule
diff --git a/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es814xPatch.scala b/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es814xPatch.scala
@@ -16,24 +16,30 @@
  */
 package tech.beshu.ror.tools.core.patches
 
+import cats.data.NonEmptyList
 import just.semver.SemVer
 import tech.beshu.ror.tools.core.patches.base.TransportNetty4AwareEsPatch
 import tech.beshu.ror.tools.core.patches.internal.RorPluginDirectory
 import tech.beshu.ror.tools.core.patches.internal.filePatchers.*
 import tech.beshu.ror.tools.core.patches.internal.modifiers.bytecodeJars.*
-import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddCreateClassLoaderPermission
+import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddAdditionalPermissions
+import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddAdditionalPermissions.*
 
 import scala.language.postfixOps
 
 private[patches] class Es814xPatch(rorPluginDirectory: RorPluginDirectory, esVersion: SemVer)
   extends TransportNetty4AwareEsPatch(rorPluginDirectory, esVersion,
     new ElasticsearchJarPatchCreator(
       OpenModule,
-      ModifyBootstrapPolicyUtilClass,
+      new ModifyBootstrapPolicyUtilClass(esVersion, NonEmptyList.of(
+        createClassLoaderRuntimePermission, getPropertySecurityPermission
+      )),
       new RepositoriesServiceAvailableForClusterServiceForAnyTypeOfNode(esVersion)
     ),
     new RorSecurityPolicyPatchCreator(
-      AddCreateClassLoaderPermission
+      AddAdditionalPermissions(NonEmptyList.of(
+        createClassLoaderRuntimePermission, getPropertySecurityPermission)
+      ),
     ),
     new XPackCoreJarPatchCreator(
       OpenModule,
diff --git a/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es815xPatch.scala b/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es815xPatch.scala
@@ -16,25 +16,31 @@
  */
 package tech.beshu.ror.tools.core.patches
 
+import cats.data.NonEmptyList
 import just.semver.SemVer
 import tech.beshu.ror.tools.core.patches.base.TransportNetty4AwareEsPatch
 import tech.beshu.ror.tools.core.patches.internal.RorPluginDirectory
 import tech.beshu.ror.tools.core.patches.internal.filePatchers.*
 import tech.beshu.ror.tools.core.patches.internal.modifiers.bytecodeJars.*
-import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddCreateClassLoaderPermission
+import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddAdditionalPermissions
+import tech.beshu.ror.tools.core.patches.internal.modifiers.securityPolicyFiles.AddAdditionalPermissions.*
 
 import scala.language.postfixOps
 
 private[patches] class Es815xPatch(rorPluginDirectory: RorPluginDirectory, esVersion: SemVer)
   extends TransportNetty4AwareEsPatch(rorPluginDirectory, esVersion,
     new ElasticsearchJarPatchCreator(
       OpenModule,
-      ModifyBootstrapPolicyUtilClass,
+      new ModifyBootstrapPolicyUtilClass(esVersion, NonEmptyList.of(
+        createClassLoaderRuntimePermission, getPropertySecurityPermission
+      )),
       new SecurityManagerShouldAllowReadingEsConfigFile(esVersion),
       new RepositoriesServiceAvailableForClusterServiceForAnyTypeOfNode(esVersion)
     ),
     new RorSecurityPolicyPatchCreator(
-      AddCreateClassLoaderPermission
+      AddAdditionalPermissions(NonEmptyList.of(
+        createClassLoaderRuntimePermission, getPropertySecurityPermission
+      )),
     ),
     new XPackCoreJarPatchCreator(
       OpenModule,
diff --git a/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es83xPatch.scala b/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es83xPatch.scala
diff --git a/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es89xPatch.scala b/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/Es89xPatch.scala
diff --git a/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/internal/modifiers/bytecodeJars/ModifyBootstrapPolicyUtilClass.scala b/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/internal/modifiers/bytecodeJars/ModifyBootstrapPolicyUtilClass.scala
diff --git a/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/internal/modifiers/securityPolicyFiles/AddAdditionalPermissions.scala b/ror-tools-core/src/main/scala/tech/beshu/ror/tools/core/patches/internal/modifiers/securityPolicyFiles/AddAdditionalPermissions.scala
