From d46dacce64cab9d89c0ff1d93da446aaa070f925 Mon Sep 17 00:00:00 2001
From: Asif Sohail Mohammed <nsifmoh@amazon.com>
Date: Sat, 7 Oct 2023 00:17:50 +0530
Subject: [PATCH] Fix CVE-2023-39410 (#3450)

Signed-off-by: Asif Sohail Mohammed <nsifmoh@amazon.com>
(cherry picked from commit 74409e2cf8cd5add484592e87b7c68bff1dede04)
---
 data-prepper-plugins/avro-codecs/build.gradle    | 2 +-
 data-prepper-plugins/kafka-plugins/build.gradle  | 2 +-
 data-prepper-plugins/parquet-codecs/build.gradle | 2 +-
 data-prepper-plugins/s3-sink/build.gradle        | 2 +-
 data-prepper-plugins/s3-source/build.gradle      | 2 +-
 settings.gradle                                  | 2 ++
 6 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/data-prepper-plugins/avro-codecs/build.gradle b/data-prepper-plugins/avro-codecs/build.gradle
index f694d65d37..e1504fa08b 100644
--- a/data-prepper-plugins/avro-codecs/build.gradle
+++ b/data-prepper-plugins/avro-codecs/build.gradle
@@ -5,7 +5,7 @@
 
 dependencies {
     implementation project(path: ':data-prepper-api')
-    implementation 'org.apache.avro:avro:1.11.1'
+    implementation libs.avro.core
     implementation 'org.apache.parquet:parquet-common:1.13.1'
     implementation 'software.amazon.awssdk:s3'
     implementation 'software.amazon.awssdk:apache-client'
diff --git a/data-prepper-plugins/kafka-plugins/build.gradle b/data-prepper-plugins/kafka-plugins/build.gradle
index 3436de0133..12281e44a1 100644
--- a/data-prepper-plugins/kafka-plugins/build.gradle
+++ b/data-prepper-plugins/kafka-plugins/build.gradle
@@ -11,7 +11,7 @@ dependencies {
     implementation project(':data-prepper-api')
     implementation project(':data-prepper-plugins:buffer-common')
     implementation 'org.apache.kafka:kafka-clients:3.4.0'
-    implementation 'org.apache.avro:avro:1.11.0'
+    implementation libs.avro.core
     implementation 'com.fasterxml.jackson.core:jackson-databind'
     implementation 'io.micrometer:micrometer-core'
     implementation libs.commons.lang3
diff --git a/data-prepper-plugins/parquet-codecs/build.gradle b/data-prepper-plugins/parquet-codecs/build.gradle
index 17b3dac53d..7fa162c8dd 100644
--- a/data-prepper-plugins/parquet-codecs/build.gradle
+++ b/data-prepper-plugins/parquet-codecs/build.gradle
@@ -6,7 +6,7 @@
 dependencies {
     implementation project(':data-prepper-api')
     implementation project(':data-prepper-plugins:common')
-    implementation 'org.apache.avro:avro:1.11.0'
+    implementation libs.avro.core
     implementation libs.hadoop.common
     implementation(libs.hadoop.mapreduce) {
         exclude group: 'org.apache.hadoop', module: 'hadoop-hdfs-client'
diff --git a/data-prepper-plugins/s3-sink/build.gradle b/data-prepper-plugins/s3-sink/build.gradle
index 831db1254c..a7d09d77b6 100644
--- a/data-prepper-plugins/s3-sink/build.gradle
+++ b/data-prepper-plugins/s3-sink/build.gradle
@@ -18,7 +18,7 @@ dependencies {
     implementation 'software.amazon.awssdk:sts'
     implementation 'org.jetbrains.kotlin:kotlin-stdlib:1.8.21'
     implementation project(':data-prepper-plugins:avro-codecs')
-    implementation 'org.apache.avro:avro:1.11.1'
+    implementation libs.avro.core
     implementation libs.hadoop.common
     implementation 'org.apache.parquet:parquet-avro:1.13.1'
     implementation 'software.amazon.awssdk:apache-client'
diff --git a/data-prepper-plugins/s3-source/build.gradle b/data-prepper-plugins/s3-source/build.gradle
index f192e61cf1..20f4d8ef0c 100644
--- a/data-prepper-plugins/s3-source/build.gradle
+++ b/data-prepper-plugins/s3-source/build.gradle
@@ -46,7 +46,7 @@ dependencies {
     testImplementation project(':data-prepper-plugins:in-memory-source-coordination-store')
     testImplementation project(':data-prepper-core')
     testImplementation project(':data-prepper-plugins:parquet-codecs')
-    testImplementation 'org.apache.avro:avro:1.11.0'
+    testImplementation libs.avro.core
     testImplementation testLibs.hadoop.common
     testImplementation 'org.apache.parquet:parquet-avro:1.13.1'
     testImplementation 'org.apache.parquet:parquet-column:1.13.1'
diff --git a/settings.gradle b/settings.gradle
index 2829812a74..d1c8f4db3a 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -46,6 +46,8 @@ dependencyResolutionManagement {
             version('hadoop', '3.3.6')
             library('hadoop-common', 'org.apache.hadoop', 'hadoop-common').versionRef('hadoop')
             library('hadoop-mapreduce', 'org.apache.hadoop', 'hadoop-mapreduce-client-core').versionRef('hadoop')
+            version('avro', '1.11.3')
+            library('avro-core', 'org.apache.avro', 'avro').versionRef('avro')
         }
         testLibs {
             version('junit', '5.8.2')