HADOOP-19764. Upgrade amazon-s3-encryption-client-java to 4.0.0+ due to Invisible Salamanders (CVE-2025-14763)

[pjfanning]

Description of PR

CVE-2025-14763

How was this patch tested?

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 42s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+0 🆗	shelldocs	0m 0s		Shelldocs was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+0 🆗	mvndep	8m 45s		Maven dependency ordering for branch
+1 💚	mvninstall	15m 9s		trunk passed
+1 💚	compile	9m 38s		trunk passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	compile	9m 30s		trunk passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
-1 ❌	mvnsite	6m 25s	/branch-mvnsite-root.txt	root in trunk failed.
+1 💚	javadoc	5m 52s		trunk passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	javadoc	4m 52s		trunk passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+1 💚	shadedclient	24m 42s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 29s		Maven dependency ordering for patch
-1 ❌	mvninstall	14m 49s	/patch-mvninstall-root.txt	root in the patch failed.
-1 ❌	compile	8m 39s	/patch-compile-root-jdkUbuntu-21.0.7+6-Ubuntu-0ubuntu120.04.txt	root in the patch failed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04.
-1 ❌	javac	8m 39s	/patch-compile-root-jdkUbuntu-21.0.7+6-Ubuntu-0ubuntu120.04.txt	root in the patch failed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04.
-1 ❌	compile	9m 10s	/patch-compile-root-jdkUbuntu-17.0.15+6-Ubuntu-0ubuntu120.04.txt	root in the patch failed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04.
-1 ❌	javac	9m 10s	/patch-compile-root-jdkUbuntu-17.0.15+6-Ubuntu-0ubuntu120.04.txt	root in the patch failed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04.
+1 💚	blanks	0m 0s		The patch has no blanks issues.
-1 ❌	mvnsite	3m 36s	/patch-mvnsite-root.txt	root in the patch failed.
+1 💚	shellcheck	0m 0s		No new issues.
+1 💚	javadoc	5m 54s		the patch passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	javadoc	4m 52s		the patch passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+1 💚	shadedclient	26m 25s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
-1 ❌	unit	223m 29s	/patch-unit-root.txt	root in the patch failed.
+1 💚	asflicense	0m 44s		The patch does not generate ASF License warnings.
		365m 31s

Reason	Tests
Failed junit tests	hadoop.hdfs.tools.TestDFSAdmin
	hadoop.yarn.server.nodemanager.containermanager.logaggregation.TestLogAggregationService

Subsystem	Report/Notes
Docker	ClientAPI=1.52 ServerAPI=1.52 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8158/2/artifact/out/Dockerfile
GITHUB PR	#8158
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs
uname	Linux 08428a3a1a69 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / e0d9961
Default Java	Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
Multi-JDK versions	/usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8158/2/testReport/
Max. process+thread count	4613 (vs. ulimit of 5500)
modules	C: hadoop-project . U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8158/2/console
versions	git=2.25.1 maven=3.9.11 shellcheck=0.7.0
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[steveloughran]

AWS SDK team breaking existing code again.

[steveloughran]

This updates the aws sdk. Is that needed? if so, -1 to the patch as is.

Upgrading an aws sdk is a nightmare which usually takes 4+ weeks, automated and manual regression testing with multiple s3 endpoints (s3, s3 express, third party) and as many options in the test matrix as possible (vpce, fips, encryption), then deciding how to react to the regressions which surface. Which do surface, almost always. SDK upgrades cost me about 8 weeks last year. No rush to repeat

https://github.com/steveloughran/engineering-proposals/blob/trunk/qualifying-an-SDK-upgrade.md

[pjfanning]

I misread https://mvnrepository.com/artifact/software.amazon.encryption.s3/amazon-s3-encryption-client-java/4.0.0 - it looks like we don't need to upgrade the AWS SDK jars, so I'll revert that part of the change.

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 41s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+1 💚	mvninstall	21m 56s		trunk passed
+1 💚	compile	0m 15s		trunk passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	compile	0m 17s		trunk passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+1 💚	mvnsite	0m 19s		trunk passed
+1 💚	javadoc	0m 17s		trunk passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 16s		trunk passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+1 💚	shadedclient	37m 32s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+1 💚	mvninstall	0m 9s		the patch passed
+1 💚	compile	0m 8s		the patch passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	javac	0m 8s		the patch passed
+1 💚	compile	0m 9s		the patch passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+1 💚	javac	0m 9s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	mvnsite	0m 10s		the patch passed
+1 💚	javadoc	0m 9s		the patch passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 9s		the patch passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+1 💚	shadedclient	15m 0s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	0m 11s		hadoop-project in the patch passed.
+1 💚	asflicense	0m 24s		The patch does not generate ASF License warnings.
		55m 46s

Subsystem	Report/Notes
Docker	ClientAPI=1.52 ServerAPI=1.52 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8158/4/artifact/out/Dockerfile
GITHUB PR	#8158
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint
uname	Linux 532ac47f0a2e 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / f3a3744
Default Java	Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
Multi-JDK versions	/usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8158/4/testReport/
Max. process+thread count	636 (vs. ulimit of 5500)
modules	C: hadoop-project U: hadoop-project
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8158/4/console
versions	git=2.25.1 maven=3.9.11
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[steveloughran]

you reverted the use of the builder changes?

[pjfanning]

you reverted the use of the builder changes?

I've added the builder change back. I mistakenly thought the code removal issue was with the AWS SDK but the issue is in amazon-s3-encryption-client-java.

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 42s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+0 🆗	mvndep	9m 40s		Maven dependency ordering for branch
+1 💚	mvninstall	15m 22s		trunk passed
+1 💚	compile	9m 23s		trunk passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	compile	9m 28s		trunk passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+1 💚	checkstyle	1m 29s		trunk passed
+1 💚	mvnsite	1m 5s		trunk passed
+1 💚	javadoc	1m 12s		trunk passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 58s		trunk passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+0 🆗	spotbugs	0m 35s		branch/hadoop-project no spotbugs output file (spotbugsXml.xml)
-1 ❌	spotbugs	0m 59s	/branch-spotbugs-hadoop-tools_hadoop-aws-warnings.html	hadoop-tools/hadoop-aws in trunk has 2 extant spotbugs warnings.
+1 💚	shadedclient	15m 34s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 20s		Maven dependency ordering for patch
+1 💚	mvninstall	0m 31s		the patch passed
+1 💚	compile	8m 49s		the patch passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	javac	8m 49s		the patch passed
+1 💚	compile	9m 41s		the patch passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+1 💚	javac	9m 41s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	1m 39s		the patch passed
+1 💚	mvnsite	1m 5s		the patch passed
+1 💚	javadoc	1m 2s		the patch passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	javadoc	0m 59s		the patch passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+0 🆗	spotbugs	0m 23s		hadoop-project has no data from spotbugs
+1 💚	shadedclient	15m 16s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	0m 25s		hadoop-project in the patch passed.
+1 💚	unit	2m 15s		hadoop-aws in the patch passed.
+1 💚	asflicense	0m 39s		The patch does not generate ASF License warnings.
		114m 15s

Subsystem	Report/Notes
Docker	ClientAPI=1.52 ServerAPI=1.52 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8158/5/artifact/out/Dockerfile
GITHUB PR	#8158
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint spotbugs checkstyle
uname	Linux 03d13b74b1a7 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 098717a
Default Java	Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
Multi-JDK versions	/usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8158/5/testReport/
Max. process+thread count	618 (vs. ulimit of 5500)
modules	C: hadoop-project hadoop-tools/hadoop-aws U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8158/5/console
versions	git=2.25.1 maven=3.9.11 spotbugs=4.9.7
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	1m 18s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 1s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+0 🆗	shelldocs	0m 0s		Shelldocs was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+0 🆗	mvndep	7m 53s		Maven dependency ordering for branch
+1 💚	mvninstall	35m 11s		trunk passed
+1 💚	compile	19m 25s		trunk passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	compile	20m 29s		trunk passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+1 💚	checkstyle	3m 48s		trunk passed
-1 ❌	mvnsite	10m 16s	/branch-mvnsite-root.txt	root in trunk failed.
+1 💚	javadoc	9m 56s		trunk passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	javadoc	9m 16s		trunk passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+0 🆗	spotbugs	0m 25s		branch/hadoop-project no spotbugs output file (spotbugsXml.xml)
-1 ❌	spotbugs	1m 20s	/branch-spotbugs-hadoop-tools_hadoop-aws-warnings.html	hadoop-tools/hadoop-aws in trunk has 2 extant spotbugs warnings.
-1 ❌	spotbugs	38m 4s	/branch-spotbugs-root-warnings.html	root in trunk has 95 extant spotbugs warnings.
+1 💚	shadedclient	69m 20s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 48s		Maven dependency ordering for patch
+1 💚	mvninstall	35m 35s		the patch passed
+1 💚	compile	21m 51s		the patch passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	javac	21m 51s		the patch passed
+1 💚	compile	19m 12s		the patch passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+1 💚	javac	19m 12s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	3m 38s		the patch passed
-1 ❌	mvnsite	8m 12s	/patch-mvnsite-root.txt	root in the patch failed.
+1 💚	shellcheck	0m 0s		No new issues.
+1 💚	javadoc	10m 4s		the patch passed with JDK Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
+1 💚	javadoc	9m 51s		the patch passed with JDK Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
+0 🆗	spotbugs	0m 20s		hadoop-project has no data from spotbugs
+1 💚	shadedclient	69m 28s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
-1 ❌	unit	818m 43s	/patch-unit-root.txt	root in the patch passed.
+1 💚	asflicense	1m 55s		The patch does not generate ASF License warnings.
		1198m 35s

Reason	Tests
Failed junit tests	hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesReservation
	hadoop.yarn.server.resourcemanager.TestRMHA
	hadoop.yarn.server.router.subcluster.fair.TestYarnFederationWithFairScheduler
	hadoop.yarn.service.TestYarnNativeServices
	hadoop.yarn.sls.appmaster.TestAMSimulator
	hadoop.hdfs.tools.TestDFSAdmin
	hadoop.hdfs.server.balancer.TestBalancerWithHANameNodes

Subsystem	Report/Notes
Docker	ClientAPI=1.52 ServerAPI=1.52 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8158/3/artifact/out/Dockerfile
GITHUB PR	#8158
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint spotbugs checkstyle shellcheck shelldocs
uname	Linux e13863bb18c9 5.15.0-164-generic #174-Ubuntu SMP Fri Nov 14 20:25:16 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / d2aa107
Default Java	Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
Multi-JDK versions	/usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8158/3/testReport/
Max. process+thread count	3980 (vs. ulimit of 5500)
modules	C: hadoop-project hadoop-tools/hadoop-aws . U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8158/3/console
versions	git=2.25.1 maven=3.9.11 spotbugs=4.9.7 shellcheck=0.7.0
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.