From b1f9995dcf0f4c196846ec265e8bcf0276f4280c Mon Sep 17 00:00:00 2001
From: Dan Torrey <dan@graylog.com>
Date: Mon, 13 Dec 2021 12:21:34 -0600
Subject: [PATCH 1/6] Update all out-of-date dependencies

(cherry picked from commit dc18f560db0a20d5c5998a30c18605814dc1059d)
---
 pom.xml                                       | 22 +++++++++----------
 .../integrations/s3/S3EventProcessor.java     |  2 +-
 .../integrations/s3/S3EventProcessorTest.java |  2 +-
 3 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/pom.xml b/pom.xml
index 5522ad3..1ae6105 100644
--- a/pom.xml
+++ b/pom.xml
@@ -16,42 +16,42 @@
         <dependency>
             <groupId>com.amazonaws</groupId>
             <artifactId>aws-lambda-java-core</artifactId>
-            <version>1.2.0</version>
+            <version>1.2.1</version>
         </dependency>
         <dependency>
             <groupId>com.amazonaws</groupId>
             <artifactId>aws-lambda-java-events</artifactId>
-            <version>2.2.7</version>
+            <version>3.11.0</version>
         </dependency>
         <dependency>
             <groupId>com.amazonaws</groupId>
             <artifactId>aws-java-sdk-s3</artifactId>
-            <version>1.11.647</version>
+            <version>1.12.128</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-core</artifactId>
-            <version>2.9.9</version>
+            <version>2.13.0</version>
         </dependency>
         <dependency>
             <groupId>com.google.inject</groupId>
             <artifactId>guice</artifactId>
-            <version>4.0</version>
+            <version>5.0.1</version>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
-            <version>3.9</version>
+            <version>3.12.0</version>
         </dependency>
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-handler</artifactId>
-            <version>4.1.42.Final</version>
+            <version>4.1.71.Final</version>
         </dependency>
         <dependency>
             <groupId>com.github.wnameless.json</groupId>
             <artifactId>json-flattener</artifactId>
-            <version>0.7.1</version>
+            <version>0.13.0</version>
         </dependency>
         <dependency>
             <groupId>com.github.joschi</groupId>
@@ -61,12 +61,12 @@
         <dependency>
             <groupId>org.graylog2</groupId>
             <artifactId>gelfclient</artifactId>
-            <version>1.5.0</version>
+            <version>1.5.1</version>
         </dependency>
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>28.1-jre</version>
+            <version>31.0.1-jre</version>
         </dependency>
         <dependency>
             <groupId>com.amazonaws</groupId>
@@ -91,7 +91,7 @@
         <dependency>
           <groupId>junit</groupId>
           <artifactId>junit</artifactId>
-          <version>4.13</version>
+          <version>4.13.2</version>
           <scope>test</scope>
         </dependency>
        <dependency>
diff --git a/src/main/java/org/graylog/integrations/s3/S3EventProcessor.java b/src/main/java/org/graylog/integrations/s3/S3EventProcessor.java
index 49876ff..565b325 100644
--- a/src/main/java/org/graylog/integrations/s3/S3EventProcessor.java
+++ b/src/main/java/org/graylog/integrations/s3/S3EventProcessor.java
@@ -1,7 +1,7 @@
 package org.graylog.integrations.s3;
 
+import com.amazonaws.services.lambda.runtime.events.models.s3.S3EventNotification;
 import com.amazonaws.services.s3.AmazonS3;
-import com.amazonaws.services.s3.event.S3EventNotification;
 import com.amazonaws.services.s3.model.S3Object;
 import com.google.common.base.Strings;
 import org.apache.logging.log4j.LogManager;
diff --git a/src/test/java/org/graylog/integrations/s3/S3EventProcessorTest.java b/src/test/java/org/graylog/integrations/s3/S3EventProcessorTest.java
index 94451b6..53209b0 100644
--- a/src/test/java/org/graylog/integrations/s3/S3EventProcessorTest.java
+++ b/src/test/java/org/graylog/integrations/s3/S3EventProcessorTest.java
@@ -1,7 +1,7 @@
 package org.graylog.integrations.s3;
 
+import com.amazonaws.services.lambda.runtime.events.models.s3.S3EventNotification;
 import com.amazonaws.services.s3.AmazonS3;
-import com.amazonaws.services.s3.event.S3EventNotification;
 import com.amazonaws.services.s3.model.S3Object;
 import org.graylog.integrations.s3.codec.S3Codec;
 import org.graylog2.gelfclient.GelfMessage;

From 1289117f08e249f61bc8e208af37aab87b4e52fd Mon Sep 17 00:00:00 2001
From: Dan Torrey <dan@graylog.com>
Date: Tue, 14 Dec 2021 11:12:39 -0600
Subject: [PATCH 2/6] Update to log4j 2.16.0

Log4j 2.16.0 completely disables JNDI by default.

> CVE-2021-44228 has shown the JNDI has significant security issues.
2.16.0 disables JNDI by default.

Also bump the AWS S3 SDK version.

https://logging.apache.org/log4j/2.x/changes-report.html#a2.16.0
---
 pom.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index 1ae6105..4f9b150 100644
--- a/pom.xml
+++ b/pom.xml
@@ -9,7 +9,7 @@
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source>
         <maven.compiler.target>1.8</maven.compiler.target>
-        <log4j.version>2.15.0</log4j.version>
+        <log4j.version>2.16.0</log4j.version>
     </properties>
 
     <dependencies>
@@ -26,7 +26,7 @@
         <dependency>
             <groupId>com.amazonaws</groupId>
             <artifactId>aws-java-sdk-s3</artifactId>
-            <version>1.12.128</version>
+            <version>1.12.129</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
@@ -127,7 +127,7 @@
                   <dependency>
                       <groupId>com.github.edwgiz</groupId>
                       <artifactId>maven-shade-plugin.log4j2-cachefile-transformer</artifactId>
-                      <version>2.8.1</version>
+                      <version>2.15</version>
                   </dependency>
               </dependencies>
           </plugin>

From 6e5f815699b4751fd18ddaaf222c32d5db6541dc Mon Sep 17 00:00:00 2001
From: Dan Torrey <dan@graylog.com>
Date: Tue, 14 Dec 2021 11:19:00 -0600
Subject: [PATCH 3/6] Update maven-shade-plugin and log4j transformer versions

---
 pom.xml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index 4f9b150..df0d5ce 100644
--- a/pom.xml
+++ b/pom.xml
@@ -107,7 +107,7 @@
           <plugin>
               <groupId>org.apache.maven.plugins</groupId>
               <artifactId>maven-shade-plugin</artifactId>
-              <version>2.4.3</version>
+              <version>3.2.4</version>
               <executions>
                   <execution>
                       <phase>package</phase>
@@ -117,7 +117,7 @@
                       <configuration>
                           <transformers>
                               <transformer
-                                      implementation="com.github.edwgiz.mavenShadePlugin.log4j2CacheTransformer.PluginsCacheFileTransformer">
+                                      implementation="com.github.edwgiz.maven_shade_plugin.log4j2_cache_transformer.PluginsCacheFileTransformer">
                               </transformer>
                           </transformers>
                       </configuration>
@@ -127,7 +127,7 @@
                   <dependency>
                       <groupId>com.github.edwgiz</groupId>
                       <artifactId>maven-shade-plugin.log4j2-cachefile-transformer</artifactId>
-                      <version>2.15</version>
+                      <version>2.15.0</version>
                   </dependency>
               </dependencies>
           </plugin>

From 4577b4f7ff92f888704e37455a6032030b156201 Mon Sep 17 00:00:00 2001
From: Dan Torrey <dan@graylog.com>
Date: Wed, 15 Dec 2021 14:07:54 -0600
Subject: [PATCH 4/6] Update aws-lambda-java-log4j2 to 1.4.0, which uses log4j
 2.16.0

See https://github.com/aws/aws-lambda-java-libs/commit/d1e734a38786167c064e3d333e99faccbecbf9e0
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index df0d5ce..debc867 100644
--- a/pom.xml
+++ b/pom.xml
@@ -71,7 +71,7 @@
         <dependency>
             <groupId>com.amazonaws</groupId>
             <artifactId>aws-lambda-java-log4j2</artifactId>
-            <version>1.3.0</version>
+            <version>1.4.0</version>
         </dependency>
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>

From 3ef188b56502238531d17a0dd86560edc3c2c811 Mon Sep 17 00:00:00 2001
From: Dan Torrey <dan@graylog.com>
Date: Wed, 5 Jan 2022 14:18:08 -0600
Subject: [PATCH 5/6] Update dependencies to latest, especially log4j

Update Log4j dependencies to the latest version, especially log4j to the latest version 2.17.1 to fix recent CVEs.
---
 pom.xml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/pom.xml b/pom.xml
index debc867..9aa8cea 100644
--- a/pom.xml
+++ b/pom.xml
@@ -9,7 +9,7 @@
     <properties>
         <maven.compiler.source>1.8</maven.compiler.source>
         <maven.compiler.target>1.8</maven.compiler.target>
-        <log4j.version>2.16.0</log4j.version>
+        <log4j.version>2.17.1</log4j.version>
     </properties>
 
     <dependencies>
@@ -26,12 +26,12 @@
         <dependency>
             <groupId>com.amazonaws</groupId>
             <artifactId>aws-java-sdk-s3</artifactId>
-            <version>1.12.129</version>
+            <version>1.12.133</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-core</artifactId>
-            <version>2.13.0</version>
+            <version>2.13.1</version>
         </dependency>
         <dependency>
             <groupId>com.google.inject</groupId>
@@ -46,7 +46,7 @@
         <dependency>
             <groupId>io.netty</groupId>
             <artifactId>netty-handler</artifactId>
-            <version>4.1.71.Final</version>
+            <version>4.1.72.Final</version>
         </dependency>
         <dependency>
             <groupId>com.github.wnameless.json</groupId>
@@ -71,7 +71,7 @@
         <dependency>
             <groupId>com.amazonaws</groupId>
             <artifactId>aws-lambda-java-log4j2</artifactId>
-            <version>1.4.0</version>
+            <version>1.5.1</version>
         </dependency>
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>

From 0f3f3e3339b7a62e5107f4a8051f52c4b48c72aa Mon Sep 17 00:00:00 2001
From: Dan Torrey <dan@graylog.com>
Date: Wed, 5 Jan 2022 15:00:19 -0600
Subject: [PATCH 6/6] Use log4j version for log4j-maven-shade-plugin-extensions

The versions of log4j-maven-shade-plugin-extensions and log4j should coincide according to https://github.com/edwgiz/maven-shaded-log4j-transformer

> A number of the transformer version corresponds to the number of the artifacts in org.apache.logging.log4j group
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index f37b8d9..796c688 100644
--- a/pom.xml
+++ b/pom.xml
@@ -139,7 +139,7 @@
                   <dependency>
                       <groupId>io.github.edwgiz</groupId>
                       <artifactId>log4j-maven-shade-plugin-extensions</artifactId>
-                      <version>2.16.0</version>
+                      <version>${log4j.version}</version>
                   </dependency>
               </dependencies>
           </plugin>