Security: upgrade unboundid ldapsdk to 4.0.8 (#34247)

This commit upgrades the unboundid ldapsdk to version 4.0.8. The
primary driver for upgrading is a fix that prevents this library from
rewrapping Error instances that would normally bubble up to the
UncaughtExceptionHandler and terminate the JVM. Other notable changes
include some fixes related to connection handling in the library's
connection pool implementation.

Closes #33175

Author: jaymode

x-pack/plugin/core/build.gradle

@@ -35,7 +35,7 @@ dependencies {
     compile "commons-codec:commons-codec:${versions.commonscodec}"
 
     // security deps
-    compile 'com.unboundid:unboundid-ldapsdk:3.2.0'
+    compile 'com.unboundid:unboundid-ldapsdk:4.0.8'
     compile project(path: ':modules:transport-netty4', configuration: 'runtime')
     compile(project(path: ':plugins:transport-nio', configuration: 'runtime')) {
         // TODO: core exclusion should not be necessary, since it is a transitive dep of all plugins

x-pack/plugin/core/licenses/unboundid-ldapsdk-3.2.0.jar.sha1

@@ -0,0 +1 @@
+bf1a0d3790f8f7bd28f1172323c26fed2e3bbaa5

x-pack/plugin/core/licenses/unboundid-ldapsdk-4.0.8.jar.sha1

@@ -1,76 +1,77 @@
                      UnboundID LDAP SDK Free Use License
 
-THIS IS AN AGREEMENT BETWEEN YOU ("YOU") AND UNBOUNDID CORP. ("UNBOUNDID")
-REGARDING YOUR USE OF UNBOUNDID LDAP SDK FOR JAVA AND ANY ASSOCIATED
-DOCUMENTATION, OBJECT CODE, COMPILED LIBRARIES, SOURCE CODE AND SOURCE FILES OR
-OTHER MATERIALS MADE AVAILABLE BY UNBOUNDID (COLLECTIVELY REFERRED TO IN THIS
-AGREEMENT AS THE ("SDK").
+THIS IS AN AGREEMENT BETWEEN YOU ("YOU") AND PING IDENTITY CORPORATION
+("PING IDENTITY") REGARDING YOUR USE OF UNBOUNDID LDAP SDK FOR JAVA AND ANY
+ASSOCIATED DOCUMENTATION, OBJECT CODE, COMPILED LIBRARIES, SOURCE CODE AND
+SOURCE FILES OR OTHER MATERIALS MADE AVAILABLE BY PING IDENTITY (COLLECTIVELY
+REFERRED TO IN THIS AGREEMENT AS THE ("SDK").
 
 BY INSTALLING, ACCESSING OR OTHERWISE USING THE SDK, YOU ACCEPT THE TERMS OF
 THIS AGREEMENT.  IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, DO NOT
 INSTALL, ACCESS OR USE THE SDK.
 
-USE OF THE SDK.  Subject to your compliance with this Agreement, UnboundID
-grants to You a non-exclusive, royalty-free license, under UnboundID's
+USE OF THE SDK.  Subject to your compliance with this Agreement, Ping Identity
+grants to You a non-exclusive, royalty-free license, under Ping Identity's
 intellectual property rights in the SDK, to use, reproduce, modify and
 distribute this release of the SDK; provided that no license is granted herein
 under any patents that may be infringed by your modifications, derivative works
 or by other works in which the SDK may be incorporated (collectively, your
 "Applications").  You may reproduce and redistribute the SDK with your
 Applications provided that you (i) include this license file and an
-unmodified copy of the unboundid-ldapsdk-se.jar file; and (ii) such
+unmodified copy of the unboundid-ldapsdk.jar file; and (ii) such
 redistribution is subject to a license whose terms do not conflict with or
 contradict the terms of this Agreement. You may also reproduce and redistribute
 the SDK without your Applications provided that you redistribute the SDK
 complete and unmodified (i.e., with all "read me" files, copyright notices, and
-other legal notices and terms that UnboundID has included in the SDK).
+other legal notices and terms that Ping Identity has included in the SDK).
 
-SCOPE OF LICENSES.  This Agreement does not grant You the right to use any
-UnboundID intellectual property which is not included as part of the SDK.  The
+SCOPE OF LICENSES.  This Agreement does not grant You the right to use any Ping
+Identity intellectual property which is not included as part of the SDK.  The
 SDK is licensed, not sold.  This Agreement only gives You some rights to use
-the SDK.  UnboundID reserves all other rights. Unless applicable law gives You
-more rights despite this limitation, You may use the SDK only as expressly
+the SDK.  Ping Identity reserves all other rights. Unless applicable law gives
+You more rights despite this limitation, You may use the SDK only as expressly
 permitted in this Agreement.
 
-SUPPORT.  UnboundID is not obligated to provide any technical or other support
-("Support Services") for the SDK to You under this Agreement. However, if
-UnboundID chooses to provide any Support Services to You, Your use of such
-Support Services will be governed by then-current UnboundID support policies.
+SUPPORT.  Ping Identity is not obligated to provide any technical or other
+support ("Support Services") for the SDK to You under this Agreement. However,
+if Ping Identity chooses to provide any Support Services to You, Your use of
+such Support Services will be governed by then-current Ping Identity support
+policies.
 
-TERMINATION.  UnboundID reserves the right to discontinue offering the SDK and
-to modify the SDK at any time in its sole discretion.  Notwithstanding anything
-contained in this Agreement to the contrary, UnboundID may also, in its sole
-discretion, terminate or suspend access to the SDK to You or any end user at
-any time.  In addition, if you fail to comply with the terms of this Agreement,
-then any rights granted herein will be automatically terminated if such failure
-is not corrected within 30 days of the initial notification of such failure.
-You acknowledge that termination and/or monetary damages may not be a
-sufficient remedy if You breach this Agreement and that UnboundID will be
-entitled, without waiving any other rights or remedies, to injunctive or
+TERMINATION.  Ping Identity reserves the right to discontinue offering the SDK
+and to modify the SDK at any time in its sole discretion.  Notwithstanding
+anything contained in this Agreement to the contrary, Ping Identity may also,
+in its sole discretion, terminate or suspend access to the SDK to You or any
+end user at any time.  In addition, if you fail to comply with the terms of
+this Agreement, then any rights granted herein will be automatically terminated
+if such failure is not corrected within 30 days of the initial notification of
+such failure.  You acknowledge that termination and/or monetary damages may not
+be a sufficient remedy if You breach this Agreement and that Ping Identity will
+be entitled, without waiving any other rights or remedies, to injunctive or
 equitable relief as may be deemed proper by a court of competent jurisdiction
-in the event of a breach.  UnboundID may also terminate this Agreement if the
-SDK becomes, or in UnboundID?s reasonable opinion is likely to become, the
-subject of a claim of intellectual property infringement or trade secret
+in the event of a breach.  Ping Identity may also terminate this Agreement if
+the SDK becomes, or in Ping Identity's reasonable opinion is likely to become,
+the subject of a claim of intellectual property infringement or trade secret
 misappropriation.  All rights and licenses granted herein will simultaneously
 and automatically terminate upon termination of this Agreement for any reason.
 
-DISCLAIMER OF WARRANTY. THE SDK IS PROVIDED "AS IS" AND UNBOUNDID DOES NOT
+DISCLAIMER OF WARRANTY. THE SDK IS PROVIDED "AS IS" AND PING IDENTITY DOES NOT
 WARRANT THAT THE SDK WILL BE ERROR-FREE, VIRUS-FREE, WILL PERFORM IN AN
 UNINTERRUPTED, SECURE OR TIMELY MANNER, OR WILL INTEROPERATE WITH OTHER
 HARDWARE, SOFTWARE, SYSTEMS OR DATA.  TO THE MAXIMUM EXTENT ALLOWED BY LAW, ALL
 CONDITIONS, REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY
 OR OTHERWISE INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE (EVEN IF UNBOUNDID HAD BEEN
-INFORMED OF SUCH PURPOSE), OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS ARE HEREBY
-DISCLAIMED.
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE (EVEN IF PING IDENTITY HAD
+BEEN INFORMED OF SUCH PURPOSE), OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS ARE
+HEREBY DISCLAIMED.
 
-LIMITATION OF LIABILITY.  IN NO EVENT WILL UNBOUNDID OR ITS SUPPLIERS BE LIABLE
-FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, LOST PROFITS,
+LIMITATION OF LIABILITY.  IN NO EVENT WILL PING IDENTITY OR ITS SUPPLIERS BE
+LIABLE FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, LOST PROFITS,
 REVENUE, DATA OR DATA USE, BUSINESS INTERRUPTION, COST OF COVER, DIRECT,
 INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL OR CONSEQUENTIAL DAMAGES OF ANY KIND)
 ARISING OUT OF THE USE OF OR INABILITY TO USE THE SDK OR IN ANY WAY RELATED TO
-THIS AGREEMENT, EVEN IF UNBOUNDID HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
-DAMAGES.
+THIS AGREEMENT, EVEN IF PING IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
 
 ADDITIONAL RIGHTS.  Certain states do not allow the exclusion of implied
 warranties or limitation of liability for certain kinds of damages, so the

x-pack/plugin/core/licenses/unboundid-ldapsdk-LICENSE.txt

@@ -102,6 +102,7 @@ public class XPackPlugin extends XPackClientPlugin implements ScriptPlugin, Exte
                 public Void run() {
                     try {
                         Class.forName("com.unboundid.util.Debug");
+                        Class.forName("com.unboundid.ldap.sdk.LDAPConnectionOptions");
                     } catch (ClassNotFoundException e) {
                         throw new RuntimeException(e);
                     }

x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/XPackPlugin.java

@@ -23,7 +23,7 @@ dependencies {
 
     testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
 
-    compile 'com.unboundid:unboundid-ldapsdk:3.2.0'
+    compile 'com.unboundid:unboundid-ldapsdk:4.0.8'
     compileOnly 'org.bouncycastle:bcprov-jdk15on:1.59'
     compileOnly 'org.bouncycastle:bcpkix-jdk15on:1.59'