Two CVEs in pgjdbc and BouncyCastle Force Emergency Dependency Updates Across Apache Data Stack

Two critical security vulnerabilities embedded in foundational Java dependencies are triggering emergency remediation across distributed data infrastructure. The flaws—a client-side denial-of-service risk in the PostgreSQL JDBC driver and a cryptographic key-leakage exposure in BouncyCastle—are forcing coordinated patches across modules handling frontend queries, Java extensions, and filesystem brokers.

The first vulnerability, CVE-2026-42198, affects pgjdbc versions 42.2.0 through 42.7.10. Attackers can exploit unbounded SCRAM PBKDF2 iteration counts during authentication handshake, crashing client applications. The fix bumps the org.postgresql:postgresql dependency from 42.4.4 to 42.7.11 in frontend components, with fe-core inheriting the update automatically. The second flaw, CVE-2026-5598, targets BouncyCastle's bc-java library (versions 1.71 through 1.83), where FrodoKEM's non-constant-time comparison implementation risks exposing private keys during cryptographic operations. The vulnerable bcprov-jdk18on 1.82 arrives transitively through Hadoop, Hive, Iceberg, Paimon, Kudu, and Hudi—core pillars of modern data lake and lakehouse architectures.

The remediation strategy introduces an explicit bouncycastle.version=1.84 property across parent POM files, pinning bcprov-jdk18on, bcpkix-jdk18on, and bcutil-jdk18on via dependencyManagement to override transitive pulls. Organizations running affected data platforms face pressure to apply these updates promptly, as the vulnerabilities span both database connectivity and cryptographic integrity layers. The transitive nature of the BouncyCastle exposure means that even projects not directly depending on the library may carry the risk through ecosystem dependencies, complicating patch prioritization.