chore(deps): Security dependency remediation - Spring Boot 3.5.8 and library updates

Summary

Security vulnerability scan identified 242 vulnerabilities in the partition service dependencies. This issue tracks the remediation effort to update dependencies and align with upstream OSDU library releases.

Security Scan Results

Severity Count Key Issues
CRITICAL 6 Spring4Shell (CVE-2022-22965), Tomcat RCE (CVE-2025-24813)
HIGH 114 Auth bypass, SnakeYAML RCE, Netty DoS
MEDIUM 122 Path traversal, DoS vectors

Dependencies

This work depends on the following library releases:

  • os-core-common - Release with Spring Boot 3.5.8, Netty 4.1.128.Final, Logback 1.5.21
  • core-lib-azure - Release with Spring 6.2.14, nimbus-jose-jwt 10.6, lettuce 6.8.1

Proposed Changes

partition/pom.xml

<properties>
  <!-- OSDU Versions - update after library release -->
  <os-core-common.version>TBD</os-core-common.version>

  <!-- Spring Versions - align with libraries -->
  <spring-boot.version>3.5.8</spring-boot.version>
  <spring-security.version>6.5.7</spring-security.version>
  <spring-framework.version>6.2.14</spring-framework.version>

  <!-- Project Versions -->
  <lombok.version>1.18.42</lombok.version>
  <guava.version>33.5.0-jre</guava.version>
</properties>

partition/provider/partition-azure/pom.xml

<properties>
  <!-- Update after library release -->
  <core-lib-azure.version>TBD</core-lib-azure.version>
</properties>

Also remove explicit ${spring-boot.version} override on spring-boot-starter-security dependency (line 70).

CVEs Addressed

Via Spring Boot 3.5.8

  • CVE-2025-24813: Tomcat RCE
  • CVE-2025-22235: Spring Boot security bypass

Via Spring Framework 6.2.14

  • CVE-2025-41249: Spring Core authorization bypass
  • CVE-2025-41242: Spring WebMVC path traversal

Via Spring Security 6.5.7

  • CVE-2025-41248: Authorization bypass

Via Netty 4.1.128.Final

  • CVE-2025-24970: Native crash via SSL
  • CVE-2025-58057: Codec DoS
  • CVE-2025-55163: HTTP/2 DoS

Via core-lib-azure

  • CVE-2023-52428, CVE-2025-53864: nimbus-jose-jwt DoS
  • CVE-2024-47535: lettuce-core vulnerability
  • CVE-2025-22227: reactor-netty credential leak
  • CVE-2021-29425: Commons IO path traversal

Via os-core-common

  • CVE-2025-11226: Logback ACE
  • CVE-2025-48924: Commons Lang3 DoS

Validation

Validated locally with snapshot versions:

  • All 122 unit tests passing
  • Build time: ~15 seconds
  • No code changes required beyond pom.xml updates

Checklist

  • os-core-common released with security fixes
  • core-lib-azure released with security fixes
  • Update partition pom.xml with released versions
  • Update partition-azure pom.xml with released version
  • Run full test suite
  • Create MR
Edited by Daniel Scholl (MS]