You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@bookkeeper.apache.org by yo...@apache.org on 2023/06/20 05:51:07 UTC
[bookkeeper] 02/03: Upgrade grpc and protobuf to address CVE-2023-32732 (#3992)

This is an automated email from the ASF dual-hosted git repository.

yong pushed a commit to branch branch-4.16
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git

commit 9bfb4a921e8fd13f02af926dd7e23e8455839a7a
Author: Lari Hotari <lh...@users.noreply.github.com>
AuthorDate: Tue Jun 20 06:33:49 2023 +0300

    Upgrade grpc and protobuf to address CVE-2023-32732 (#3992)
    
    ### Motivation
    
    OWASP dependency check fails because of CVE-2023-32732 in grpc.
    
    ### Changes
    
    * Upgrade grpc to 1.56.0
    * Upgrade protobuf to 3.22.3 to match the version used in grpc 1.56.0
    * Upgrade other grpc/protobuf related libs
    
    (cherry picked from commit e188ed82d39705132a2b4848a240dc60c50cd72b)
---
 .../src/main/resources/LICENSE-all.bin.txt         | 64 +++++++++++-----------
 .../src/main/resources/LICENSE-bkctl.bin.txt       | 64 +++++++++++-----------
 .../src/main/resources/LICENSE-server.bin.txt      | 64 +++++++++++-----------
 .../src/main/resources/NOTICE-all.bin.txt          | 18 +++---
 .../src/main/resources/NOTICE-bkctl.bin.txt        | 18 +++---
 .../src/main/resources/NOTICE-server.bin.txt       | 18 +++---
 metadata-drivers/etcd/pom.xml                      |  8 +++
 pom.xml                                            |  6 +-
 stream/common/pom.xml                              |  8 +++
 stream/tests-common/pom.xml                        |  8 +++
 10 files changed, 150 insertions(+), 126 deletions(-)

diff --git a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
index 3b5f140ed3..ba837481ab 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
@@ -275,26 +275,26 @@ Apache Software License, Version 2.
 - lib/com.yahoo.datasketches-memory-0.8.3.jar [25]
 - lib/com.yahoo.datasketches-sketches-core-0.8.3.jar [25]
 - lib/net.jpountz.lz4-lz4-1.3.0.jar [26]
-- lib/com.google.api.grpc-proto-google-common-protos-2.0.1.jar [28]
-- lib/com.google.code.gson-gson-2.9.0.jar [29]
+- lib/com.google.api.grpc-proto-google-common-protos-2.17.0.jar [28]
+- lib/com.google.code.gson-gson-2.10.1.jar [29]
 - lib/io.opencensus-opencensus-api-0.28.0.jar [30]
 - lib/io.opencensus-opencensus-contrib-http-util-0.28.0.jar [30]
 - lib/io.opencensus-opencensus-proto-0.2.0.jar [30]
-- lib/io.grpc-grpc-all-1.47.0.jar [33]
-- lib/io.grpc-grpc-alts-1.47.0.jar [33]
-- lib/io.grpc-grpc-api-1.47.0.jar [33]
-- lib/io.grpc-grpc-auth-1.47.0.jar [33]
-- lib/io.grpc-grpc-context-1.47.0.jar [33]
-- lib/io.grpc-grpc-core-1.47.0.jar [33]
-- lib/io.grpc-grpc-grpclb-1.47.0.jar [33]
-- lib/io.grpc-grpc-netty-1.47.0.jar [33]
-- lib/io.grpc-grpc-protobuf-1.47.0.jar [33]
-- lib/io.grpc-grpc-protobuf-lite-1.47.0.jar [33]
-- lib/io.grpc-grpc-services-1.47.0.jar [33]
-- lib/io.grpc-grpc-stub-1.47.0.jar [33]
-- lib/io.grpc-grpc-testing-1.47.0.jar [33]
-- lib/io.grpc-grpc-xds-1.47.0.jar [33]
-- lib/io.grpc-grpc-rls-1.47.0.jar[33]
+- lib/io.grpc-grpc-all-1.56.0.jar [33]
+- lib/io.grpc-grpc-alts-1.56.0.jar [33]
+- lib/io.grpc-grpc-api-1.56.0.jar [33]
+- lib/io.grpc-grpc-auth-1.56.0.jar [33]
+- lib/io.grpc-grpc-context-1.56.0.jar [33]
+- lib/io.grpc-grpc-core-1.56.0.jar [33]
+- lib/io.grpc-grpc-grpclb-1.56.0.jar [33]
+- lib/io.grpc-grpc-netty-1.56.0.jar [33]
+- lib/io.grpc-grpc-protobuf-1.56.0.jar [33]
+- lib/io.grpc-grpc-protobuf-lite-1.56.0.jar [33]
+- lib/io.grpc-grpc-services-1.56.0.jar [33]
+- lib/io.grpc-grpc-stub-1.56.0.jar [33]
+- lib/io.grpc-grpc-testing-1.56.0.jar [33]
+- lib/io.grpc-grpc-xds-1.56.0.jar [33]
+- lib/io.grpc-grpc-rls-1.56.0.jar[33]
 - lib/org.apache.curator-curator-client-5.1.0.jar [34]
 - lib/org.apache.curator-curator-framework-5.1.0.jar [34]
 - lib/org.apache.curator-curator-recipes-5.1.0.jar [34]
@@ -308,15 +308,15 @@ Apache Software License, Version 2.
 - lib/com.google.android-annotations-4.1.1.4.jar [42]
 - lib/com.google.http-client-google-http-client-1.41.0.jar [43]
 - lib/com.google.http-client-google-http-client-gson-1.41.0.jar [43]
-- lib/com.google.auto.value-auto-value-annotations-1.9.jar [44]
+- lib/com.google.auto.value-auto-value-annotations-1.10.1.jar [44]
 - lib/com.google.j2objc-j2objc-annotations-1.3.jar [45]
-- lib/com.google.re2j-re2j-1.5.jar [46]
+- lib/com.google.re2j-re2j-1.7.jar [46]
 - lib/io.dropwizard.metrics-metrics-core-4.1.12.1.jar [47]
 - lib/io.dropwizard.metrics-metrics-graphite-4.1.12.1.jar [47]
 - lib/io.dropwizard.metrics-metrics-jmx-4.1.12.1.jar [47]
 - lib/io.dropwizard.metrics-metrics-jvm-4.1.12.1.jar [47]
-- lib/io.perfmark-perfmark-api-0.25.0.jar [48]
-- lib/org.conscrypt-conscrypt-openjdk-uber-2.5.1.jar [49]
+- lib/io.perfmark-perfmark-api-0.26.0.jar [48]
+- lib/org.conscrypt-conscrypt-openjdk-uber-2.5.2.jar [49]
 - lib/org.xerial.snappy-snappy-java-1.1.10.1.jar [50]
 - lib/io.reactivex.rxjava3-rxjava-3.0.1.jar [51]
 - lib/org.hdrhistogram-HdrHistogram-2.1.10.jar [52]
@@ -347,10 +347,10 @@ Apache Software License, Version 2.
 [24] Source available at https://github.com/cbeust/jcommander/tree/1.82
 [25] Source available at https://github.com/DataSketches/sketches-core/tree/sketches-0.8.3
 [26] Source available at https://github.com/lz4/lz4-java/tree/1.3.0
-[28] Source available at https://github.com/googleapis/java-common-protos/tree/v2.0.1
-[29] Source available at https://github.com/google/gson/tree/gson-parent-2.9.0
+[28] Source available at https://github.com/googleapis/java-common-protos/tree/v2.17.0
+[29] Source available at https://github.com/google/gson/tree/gson-parent-2.10.1
 [30] Source available at https://github.com/census-instrumentation/opencensus-java/tree/v0.28.0
-[33] Source available at https://github.com/grpc/grpc-java/tree/v1.47.0
+[33] Source available at https://github.com/grpc/grpc-java/tree/v1.56.0
 [34] Source available at https://github.com/apache/curator/releases/tag/apache.curator-5.1.0
 [35] Source available at https://github.com/inferred/FreeBuilder/tree/v2.7.0
 [36] Source available at https://github.com/google/error-prone/tree/v2.9.0
@@ -361,12 +361,12 @@ Apache Software License, Version 2.
 [41] Source available at https://github.com/apache/thrift/tree/0.14.2
 [42] Source available at https://source.android.com/
 [43] Source available at https://github.com/googleapis/google-http-java-client/releases/tag/v1.41.0
-[44] Source available at https://github.com/google/auto/releases/tag/auto-value-1.9
+[44] Source available at https://github.com/google/auto/releases/tag/auto-value-1.10.1
 [45] Source available at https://github.com/google/j2objc/releases/tag/1.3
-[46] Source available at https://github.com/google/re2j/releases/tag/re2j-1.5
+[46] Source available at https://github.com/google/re2j/releases/tag/re2j-1.7
 [47] Source available at https://github.com/dropwizard/metrics/releases/tag/v4.1.12.1
-[48] Source available at https://github.com/perfmark/perfmark/releases/tag/v0.25.0
-[49] Source available at https://github.com/google/conscrypt/releases/tag/2.5.1
+[48] Source available at https://github.com/perfmark/perfmark/releases/tag/v0.26.0
+[49] Source available at https://github.com/google/conscrypt/releases/tag/2.5.2
 [50] Source available at https://github.com/xerial/snappy-java/releases/tag/v1.1.10.1
 [51] Source available at https://github.com/ReactiveX/RxJava/tree/v3.0.1
 [52] Source available at https://github.com/HdrHistogram/HdrHistogram/tree/HdrHistogram-2.1.10
@@ -641,13 +641,13 @@ This product bundles Google Protocol Buffers, which is available under a "3-clau
 license.
 
 Bundled as
-  - lib/com.google.protobuf-protobuf-java-3.19.6.jar
-Source available at https://github.com/google/protobuf/tree/v3.19.6
+  - lib/com.google.protobuf-protobuf-java-3.22.3.jar
+Source available at https://github.com/google/protobuf/tree/v3.22.3
 For details, see deps/protobuf-3.14.0/LICENSE.
 
 Bundled as
-  - lib/com.google.protobuf-protobuf-java-util-3.19.6.jar
-Source available at https://github.com/protocolbuffers/protobuf/tree/v3.19.6
+  - lib/com.google.protobuf-protobuf-java-util-3.22.3.jar
+Source available at https://github.com/protocolbuffers/protobuf/tree/v3.22.3
 For details, see deps/protobuf-3.12.0/LICENSE.
 ------------------------------------------------------------------------------------
 This product bundles the JCP Standard Java Servlet API, which is available under a
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
index b31351645f..67897da947 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
@@ -250,26 +250,26 @@ Apache Software License, Version 2.
 - lib/org.apache.zookeeper-zookeeper-3.8.1-tests.jar [20]
 - lib/com.beust-jcommander-1.82.jar [23]
 - lib/net.jpountz.lz4-lz4-1.3.0.jar [25]
-- lib/com.google.api.grpc-proto-google-common-protos-2.0.1.jar [27]
-- lib/com.google.code.gson-gson-2.9.0.jar [28]
+- lib/com.google.api.grpc-proto-google-common-protos-2.17.0.jar [27]
+- lib/com.google.code.gson-gson-2.10.1.jar [28]
 - lib/io.opencensus-opencensus-api-0.28.0.jar [29]
 - lib/io.opencensus-opencensus-contrib-http-util-0.28.0.jar [29]
 - lib/io.opencensus-opencensus-proto-0.2.0.jar [29]
-- lib/io.grpc-grpc-all-1.47.0.jar [32]
-- lib/io.grpc-grpc-alts-1.47.0.jar [32]
-- lib/io.grpc-grpc-api-1.47.0.jar [32]
-- lib/io.grpc-grpc-auth-1.47.0.jar [32]
-- lib/io.grpc-grpc-context-1.47.0.jar [32]
-- lib/io.grpc-grpc-core-1.47.0.jar [32]
-- lib/io.grpc-grpc-grpclb-1.47.0.jar [32]
-- lib/io.grpc-grpc-netty-1.47.0.jar [32]
-- lib/io.grpc-grpc-protobuf-1.47.0.jar [32]
-- lib/io.grpc-grpc-protobuf-lite-1.47.0.jar [32]
-- lib/io.grpc-grpc-services-1.47.0.jar [32]
-- lib/io.grpc-grpc-stub-1.47.0.jar [32]
-- lib/io.grpc-grpc-testing-1.47.0.jar [32]
-- lib/io.grpc-grpc-xds-1.47.0.jar [32]
-- lib/io.grpc-grpc-rls-1.47.0.jar[32]
+- lib/io.grpc-grpc-all-1.56.0.jar [32]
+- lib/io.grpc-grpc-alts-1.56.0.jar [32]
+- lib/io.grpc-grpc-api-1.56.0.jar [32]
+- lib/io.grpc-grpc-auth-1.56.0.jar [32]
+- lib/io.grpc-grpc-context-1.56.0.jar [32]
+- lib/io.grpc-grpc-core-1.56.0.jar [32]
+- lib/io.grpc-grpc-grpclb-1.56.0.jar [32]
+- lib/io.grpc-grpc-netty-1.56.0.jar [32]
+- lib/io.grpc-grpc-protobuf-1.56.0.jar [32]
+- lib/io.grpc-grpc-protobuf-lite-1.56.0.jar [32]
+- lib/io.grpc-grpc-services-1.56.0.jar [32]
+- lib/io.grpc-grpc-stub-1.56.0.jar [32]
+- lib/io.grpc-grpc-testing-1.56.0.jar [32]
+- lib/io.grpc-grpc-xds-1.56.0.jar [32]
+- lib/io.grpc-grpc-rls-1.56.0.jar[32]
 - lib/org.apache.curator-curator-client-5.1.0.jar [33]
 - lib/org.apache.curator-curator-framework-5.1.0.jar [33]
 - lib/org.apache.curator-curator-recipes-5.1.0.jar [33]
@@ -281,14 +281,14 @@ Apache Software License, Version 2.
 - lib/org.apache.httpcomponents-httpcore-4.4.15.jar [39]
 - lib/org.apache.thrift-libthrift-0.14.2.jar [40]
 - lib/com.google.android-annotations-4.1.1.4.jar [41]
-- lib/com.google.auto.value-auto-value-annotations-1.9.jar [42]
+- lib/com.google.auto.value-auto-value-annotations-1.10.1.jar [42]
 - lib/com.google.http-client-google-http-client-1.41.0.jar [43]
 - lib/com.google.http-client-google-http-client-gson-1.41.0.jar [43]
 - lib/com.google.j2objc-j2objc-annotations-1.3.jar [44]
-- lib/com.google.re2j-re2j-1.5.jar [45]
+- lib/com.google.re2j-re2j-1.7.jar [45]
 - lib/io.dropwizard.metrics-metrics-core-4.1.12.1.jar [46]
-- lib/io.perfmark-perfmark-api-0.25.0.jar [47]
-- lib/org.conscrypt-conscrypt-openjdk-uber-2.5.1.jar [49]
+- lib/io.perfmark-perfmark-api-0.26.0.jar [47]
+- lib/org.conscrypt-conscrypt-openjdk-uber-2.5.2.jar [49]
 - lib/org.xerial.snappy-snappy-java-1.1.10.1.jar [50]
 - lib/io.reactivex.rxjava3-rxjava-3.0.1.jar [51]
 - lib/com.carrotsearch-hppc-0.9.1.jar [52]
@@ -310,10 +310,10 @@ Apache Software License, Version 2.
 [20] Source available at https://github.com/apache/zookeeper/tree/release-3.8.0
 [23] Source available at https://github.com/cbeust/jcommander/tree/1.82
 [25] Source available at https://github.com/lz4/lz4-java/tree/1.3.0
-[27] Source available at https://github.com/googleapis/java-common-protos/tree/v2.0.1
-[28] Source available at https://github.com/google/gson/tree/gson-parent-2.9.0
+[27] Source available at https://github.com/googleapis/java-common-protos/tree/v2.17.0
+[28] Source available at https://github.com/google/gson/tree/gson-parent-2.10.1
 [29] Source available at https://github.com/census-instrumentation/opencensus-java/tree/v0.28.0
-[32] Source available at https://github.com/grpc/grpc-java/tree/v1.47.0
+[32] Source available at https://github.com/grpc/grpc-java/tree/v1.56.0
 [33] Source available at https://github.com/apache/curator/tree/apache-curator-5.1.0
 [34] Source available at https://github.com/inferred/FreeBuilder/tree/v2.7.0
 [35] Source available at https://github.com/google/error-prone/tree/v2.9.0
@@ -323,13 +323,13 @@ Apache Software License, Version 2.
 [39] Source available at https://github.com/apache/httpcomponents-core/tree/rel/v4.4.15
 [40] Source available at https://github.com/apache/thrift/tree/0.14.2
 [41] Source available at https://source.android.com/
-[42] Source available at https://github.com/google/auto/releases/tag/auto-value-1.9
+[42] Source available at https://github.com/google/auto/releases/tag/auto-value-1.10.1
 [43] Source available at https://github.com/googleapis/google-http-java-client/releases/tag/v1.41.0
 [44] Source available at https://github.com/google/j2objc/releases/tag/1.3
-[45] Source available at https://github.com/google/re2j/releases/tag/re2j-1.5
+[45] Source available at https://github.com/google/re2j/releases/tag/re2j-1.7
 [46] Source available at https://github.com/dropwizard/metrics/releases/tag/v4.1.12.1
-[47] Source available at https://github.com/perfmark/perfmark/releases/tag/v0.25.0
-[49] Source available at https://github.com/google/conscrypt/releases/tag/2.5.1
+[47] Source available at https://github.com/perfmark/perfmark/releases/tag/v0.26.0
+[49] Source available at https://github.com/google/conscrypt/releases/tag/2.5.2
 [50] Source available at https://github.com/xerial/snappy-java/releases/tag/v1.1.10.1
 [51] Source available at https://github.com/ReactiveX/RxJava/tree/v3.0.1
 [52] Source available at https://github.com/carrotsearch/hppc/tree/0.9.1
@@ -566,13 +566,13 @@ This product bundles Google Protocol Buffers, which is available under a "3-clau
 license.
 
 Bundled as
-  - lib/com.google.protobuf-protobuf-java-3.19.6.jar
-Source available at https://github.com/google/protobuf/tree/v3.19.6
+  - lib/com.google.protobuf-protobuf-java-3.22.3.jar
+Source available at https://github.com/google/protobuf/tree/v3.22.3
 For details, see deps/protobuf-3.14.0/LICENSE.
 
 Bundled as
-  - lib/com.google.protobuf-protobuf-java-util-3.19.6.jar
-Source available at https://github.com/protocolbuffers/protobuf/tree/v3.19.6
+  - lib/com.google.protobuf-protobuf-java-util-3.22.3.jar
+Source available at https://github.com/protocolbuffers/protobuf/tree/v3.22.3
 For details, see deps/protobuf-3.12.0/LICENSE.
 ------------------------------------------------------------------------------------
 This product bundles Simple Logging Facade for Java, which is available under a
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
index b26219b582..4c430e8515 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
@@ -275,26 +275,26 @@ Apache Software License, Version 2.
 - lib/com.yahoo.datasketches-memory-0.8.3.jar [25]
 - lib/com.yahoo.datasketches-sketches-core-0.8.3.jar [25]
 - lib/net.jpountz.lz4-lz4-1.3.0.jar [26]
-- lib/com.google.api.grpc-proto-google-common-protos-2.0.1.jar [28]
-- lib/com.google.code.gson-gson-2.9.0.jar [29]
+- lib/com.google.api.grpc-proto-google-common-protos-2.17.0.jar [28]
+- lib/com.google.code.gson-gson-2.10.1.jar [29]
 - lib/io.opencensus-opencensus-api-0.28.0.jar [30]
 - lib/io.opencensus-opencensus-contrib-http-util-0.28.0.jar [30]
 - lib/io.opencensus-opencensus-proto-0.2.0.jar [30]
-- lib/io.grpc-grpc-all-1.47.0.jar [33]
-- lib/io.grpc-grpc-alts-1.47.0.jar [33]
-- lib/io.grpc-grpc-api-1.47.0.jar [33]
-- lib/io.grpc-grpc-auth-1.47.0.jar [33]
-- lib/io.grpc-grpc-context-1.47.0.jar [33]
-- lib/io.grpc-grpc-core-1.47.0.jar [33]
-- lib/io.grpc-grpc-grpclb-1.47.0.jar [33]
-- lib/io.grpc-grpc-netty-1.47.0.jar [33]
-- lib/io.grpc-grpc-protobuf-1.47.0.jar [33]
-- lib/io.grpc-grpc-protobuf-lite-1.47.0.jar [33]
-- lib/io.grpc-grpc-services-1.47.0.jar [33]
-- lib/io.grpc-grpc-stub-1.47.0.jar [33]
-- lib/io.grpc-grpc-testing-1.47.0.jar [33]
-- lib/io.grpc-grpc-xds-1.47.0.jar [33]
-- lib/io.grpc-grpc-rls-1.47.0.jar[33]
+- lib/io.grpc-grpc-all-1.56.0.jar [33]
+- lib/io.grpc-grpc-alts-1.56.0.jar [33]
+- lib/io.grpc-grpc-api-1.56.0.jar [33]
+- lib/io.grpc-grpc-auth-1.56.0.jar [33]
+- lib/io.grpc-grpc-context-1.56.0.jar [33]
+- lib/io.grpc-grpc-core-1.56.0.jar [33]
+- lib/io.grpc-grpc-grpclb-1.56.0.jar [33]
+- lib/io.grpc-grpc-netty-1.56.0.jar [33]
+- lib/io.grpc-grpc-protobuf-1.56.0.jar [33]
+- lib/io.grpc-grpc-protobuf-lite-1.56.0.jar [33]
+- lib/io.grpc-grpc-services-1.56.0.jar [33]
+- lib/io.grpc-grpc-stub-1.56.0.jar [33]
+- lib/io.grpc-grpc-testing-1.56.0.jar [33]
+- lib/io.grpc-grpc-xds-1.56.0.jar [33]
+- lib/io.grpc-grpc-rls-1.56.0.jar[33]
 - lib/org.apache.curator-curator-client-5.1.0.jar [34]
 - lib/org.apache.curator-curator-framework-5.1.0.jar [34]
 - lib/org.apache.curator-curator-recipes-5.1.0.jar [34]
@@ -308,12 +308,12 @@ Apache Software License, Version 2.
 - lib/com.google.android-annotations-4.1.1.4.jar [42]
 - lib/com.google.http-client-google-http-client-1.41.0.jar [43]
 - lib/com.google.http-client-google-http-client-gson-1.41.0.jar [43]
-- lib/com.google.auto.value-auto-value-annotations-1.9.jar [44]
+- lib/com.google.auto.value-auto-value-annotations-1.10.1.jar [44]
 - lib/com.google.j2objc-j2objc-annotations-1.3.jar [45]
-- lib/com.google.re2j-re2j-1.5.jar [46]
+- lib/com.google.re2j-re2j-1.7.jar [46]
 - lib/io.dropwizard.metrics-metrics-core-4.1.12.1.jar [47]
-- lib/io.perfmark-perfmark-api-0.25.0.jar [48]
-- lib/org.conscrypt-conscrypt-openjdk-uber-2.5.1.jar [49]
+- lib/io.perfmark-perfmark-api-0.26.0.jar [48]
+- lib/org.conscrypt-conscrypt-openjdk-uber-2.5.2.jar [49]
 - lib/org.xerial.snappy-snappy-java-1.1.10.1.jar [50]
 - lib/io.reactivex.rxjava3-rxjava-3.0.1.jar [51]
 - lib/com.carrotsearch-hppc-0.9.1.jar [52]
@@ -343,10 +343,10 @@ Apache Software License, Version 2.
 [24] Source available at https://github.com/cbeust/jcommander/tree/1.82
 [25] Source available at https://github.com/DataSketches/sketches-core/tree/sketches-0.8.3
 [26] Source available at https://github.com/lz4/lz4-java/tree/1.3.0
-[28] Source available at https://github.com/googleapis/java-common-protos/tree/v2.0.1
-[29] Source available at https://github.com/google/gson/tree/gson-parent-2.9.0
+[28] Source available at https://github.com/googleapis/java-common-protos/tree/v2.17.0
+[29] Source available at https://github.com/google/gson/tree/gson-parent-2.10.1
 [30] Source available at https://github.com/census-instrumentation/opencensus-java/tree/v0.28.0
-[33] Source available at https://github.com/grpc/grpc-java/tree/v1.47.0
+[33] Source available at https://github.com/grpc/grpc-java/tree/v1.56.0
 [34] Source available at https://github.com/apache/curator/releases/tag/apache.curator-5.1.0
 [35] Source available at https://github.com/inferred/FreeBuilder/tree/v2.7.0
 [36] Source available at https://github.com/google/error-prone/tree/v2.9.0
@@ -357,12 +357,12 @@ Apache Software License, Version 2.
 [41] Source available at https://github.com/apache/thrift/tree/0.14.2
 [42] Source available at https://source.android.com/
 [43] Source available at https://github.com/googleapis/google-http-java-client/releases/tag/v1.41.0
-[44] Source available at https://github.com/google/auto/releases/tag/auto-value-1.9
+[44] Source available at https://github.com/google/auto/releases/tag/auto-value-1.10.1
 [45] Source available at https://github.com/google/j2objc/releases/tag/1.3
-[46] Source available at https://github.com/google/re2j/releases/tag/re2j-1.5
+[46] Source available at https://github.com/google/re2j/releases/tag/re2j-1.7
 [47] Source available at https://github.com/dropwizard/metrics/releases/tag/v4.1.12.1
-[48] Source available at https://github.com/perfmark/perfmark/releases/tag/v0.25.0
-[49] Source available at https://github.com/google/conscrypt/releases/tag/2.5.1
+[48] Source available at https://github.com/perfmark/perfmark/releases/tag/v0.26.0
+[49] Source available at https://github.com/google/conscrypt/releases/tag/2.5.2
 [50] Source available at https://github.com/xerial/snappy-java/releases/tag/v1.1.10.1
 [51] Source available at https://github.com/ReactiveX/RxJava/tree/v3.0.1
 [52] Source available at https://github.com/carrotsearch/hppc/tree/0.9.1
@@ -630,13 +630,13 @@ This product bundles Google Protocol Buffers, which is available under a "3-clau
 license.
 
 Bundled as
-  - lib/com.google.protobuf-protobuf-java-3.19.6.jar
-Source available at https://github.com/google/protobuf/tree/v3.19.6
+  - lib/com.google.protobuf-protobuf-java-3.22.3.jar
+Source available at https://github.com/google/protobuf/tree/v3.22.3
 For details, see deps/protobuf-3.14.0/LICENSE.
 
 Bundled as
-  - lib/com.google.protobuf-protobuf-java-util-3.19.6.jar
-Source available at https://github.com/protocolbuffers/protobuf/tree/v3.19.6
+  - lib/com.google.protobuf-protobuf-java-util-3.22.3.jar
+Source available at https://github.com/protocolbuffers/protobuf/tree/v3.22.3
 For details, see deps/protobuf-3.12.0/LICENSE.
 ------------------------------------------------------------------------------------
 This product bundles the JCP Standard Java Servlet API, which is available under a
diff --git a/bookkeeper-dist/src/main/resources/NOTICE-all.bin.txt b/bookkeeper-dist/src/main/resources/NOTICE-all.bin.txt
index 0d630af6a5..01ceaf80c6 100644
--- a/bookkeeper-dist/src/main/resources/NOTICE-all.bin.txt
+++ b/bookkeeper-dist/src/main/resources/NOTICE-all.bin.txt
@@ -134,15 +134,15 @@ granted provided that the copyright notice appears in all copies.
 Copyright 2010 Cedric Beust cedric@beust.com
 
 ------------------------------------------------------------------------------------
-- lib/io.grpc-grpc-all-1.47.0.jar
-- lib/io.grpc-grpc-auth-1.47.0.jar
-- lib/io.grpc-grpc-context-1.47.0.jar
-- lib/io.grpc-grpc-core-1.47.0.jar
-- lib/io.grpc-grpc-netty-1.47.0.jar
-- lib/io.grpc-grpc-protobuf-1.47.0.jar
-- lib/io.grpc-grpc-protobuf-lite-1.47.0.jar
-- lib/io.grpc-grpc-stub-1.47.0.jar
-- lib/io.grpc-grpc-testing-1.47.0.jar
+- lib/io.grpc-grpc-all-1.56.0.jar
+- lib/io.grpc-grpc-auth-1.56.0.jar
+- lib/io.grpc-grpc-context-1.56.0.jar
+- lib/io.grpc-grpc-core-1.56.0.jar
+- lib/io.grpc-grpc-netty-1.56.0.jar
+- lib/io.grpc-grpc-protobuf-1.56.0.jar
+- lib/io.grpc-grpc-protobuf-lite-1.56.0.jar
+- lib/io.grpc-grpc-stub-1.56.0.jar
+- lib/io.grpc-grpc-testing-1.56.0.jar
 
 Copyright 2014, gRPC Authors All rights reserved.
 
diff --git a/bookkeeper-dist/src/main/resources/NOTICE-bkctl.bin.txt b/bookkeeper-dist/src/main/resources/NOTICE-bkctl.bin.txt
index 292620d1b0..e4c1a03a8a 100644
--- a/bookkeeper-dist/src/main/resources/NOTICE-bkctl.bin.txt
+++ b/bookkeeper-dist/src/main/resources/NOTICE-bkctl.bin.txt
@@ -56,15 +56,15 @@ under the License.
 Copyright 2010 Cedric Beust cedric@beust.com
 
 ------------------------------------------------------------------------------------
-- lib/io.grpc-grpc-all-1.47.0.jar
-- lib/io.grpc-grpc-auth-1.47.0.jar
-- lib/io.grpc-grpc-context-1.47.0.jar
-- lib/io.grpc-grpc-core-1.47.0.jar
-- lib/io.grpc-grpc-netty-1.47.0.jar
-- lib/io.grpc-grpc-protobuf-1.47.0.jar
-- lib/io.grpc-grpc-protobuf-lite-1.47.0.jar
-- lib/io.grpc-grpc-stub-1.47.0.jar
-- lib/io.grpc-grpc-testing-1.47.0.jar
+- lib/io.grpc-grpc-all-1.56.0.jar
+- lib/io.grpc-grpc-auth-1.56.0.jar
+- lib/io.grpc-grpc-context-1.56.0.jar
+- lib/io.grpc-grpc-core-1.56.0.jar
+- lib/io.grpc-grpc-netty-1.56.0.jar
+- lib/io.grpc-grpc-protobuf-1.56.0.jar
+- lib/io.grpc-grpc-protobuf-lite-1.56.0.jar
+- lib/io.grpc-grpc-stub-1.56.0.jar
+- lib/io.grpc-grpc-testing-1.56.0.jar
 
 Copyright 2014, gRPC Authors All rights reserved.
 
diff --git a/bookkeeper-dist/src/main/resources/NOTICE-server.bin.txt b/bookkeeper-dist/src/main/resources/NOTICE-server.bin.txt
index c0cd48d335..96d7d9d664 100644
--- a/bookkeeper-dist/src/main/resources/NOTICE-server.bin.txt
+++ b/bookkeeper-dist/src/main/resources/NOTICE-server.bin.txt
@@ -116,15 +116,15 @@ granted provided that the copyright notice appears in all copies.
 Copyright 2010 Cedric Beust cedric@beust.com
 
 ------------------------------------------------------------------------------------
-- lib/io.grpc-grpc-all-1.47.0.jar
-- lib/io.grpc-grpc-auth-1.47.0.jar
-- lib/io.grpc-grpc-context-1.47.0.jar
-- lib/io.grpc-grpc-core-1.47.0.jar
-- lib/io.grpc-grpc-netty-1.47.0.jar
-- lib/io.grpc-grpc-protobuf-1.47.0.jar
-- lib/io.grpc-grpc-protobuf-lite-1.47.0.jar
-- lib/io.grpc-grpc-stub-1.47.0.jar
-- lib/io.grpc-grpc-testing-1.47.0.jar
+- lib/io.grpc-grpc-all-1.56.0.jar
+- lib/io.grpc-grpc-auth-1.56.0.jar
+- lib/io.grpc-grpc-context-1.56.0.jar
+- lib/io.grpc-grpc-core-1.56.0.jar
+- lib/io.grpc-grpc-netty-1.56.0.jar
+- lib/io.grpc-grpc-protobuf-1.56.0.jar
+- lib/io.grpc-grpc-protobuf-lite-1.56.0.jar
+- lib/io.grpc-grpc-stub-1.56.0.jar
+- lib/io.grpc-grpc-testing-1.56.0.jar
 
 Copyright 2014, gRPC Authors All rights reserved.
 
diff --git a/metadata-drivers/etcd/pom.xml b/metadata-drivers/etcd/pom.xml
index 2d13190404..be330511a4 100644
--- a/metadata-drivers/etcd/pom.xml
+++ b/metadata-drivers/etcd/pom.xml
@@ -58,6 +58,14 @@
           <groupId>io.grpc</groupId>
           <artifactId>grpc-okhttp</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>io.grpc</groupId>
+          <artifactId>grpc-servlet</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>io.grpc</groupId>
+          <artifactId>grpc-servlet-jakarta</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
 
diff --git a/pom.xml b/pom.xml
index 3ecb97eaf2..e8a9d83c9c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -132,7 +132,7 @@
     <freebuilder.version>2.7.0</freebuilder.version>
     <google.code.version>3.0.2</google.code.version>
     <google.errorprone.version>2.9.0</google.errorprone.version>
-    <grpc.version>1.47.0</grpc.version>
+    <grpc.version>1.56.0</grpc.version>
     <guava.version>31.0.1-jre</guava.version>
     <kerby.version>1.1.1</kerby.version>
     <hadoop.version>3.3.5</hadoop.version>
@@ -161,8 +161,8 @@
     <datasketches.version>0.8.3</datasketches.version>
     <httpclient.version>4.5.13</httpclient.version>
     <httpcore.version>4.4.15</httpcore.version>
-    <protobuf.version>3.19.6</protobuf.version>
-    <protoc3.version>3.19.6</protoc3.version>
+    <protobuf.version>3.22.3</protobuf.version>
+    <protoc3.version>3.22.3</protoc3.version>
     <protoc-gen-grpc-java.version>${grpc.version}</protoc-gen-grpc-java.version>
     <reflections.version>0.9.11</reflections.version>
     <rocksdb.version>7.9.2</rocksdb.version>
diff --git a/stream/common/pom.xml b/stream/common/pom.xml
index 25a272714c..a6d0304ca7 100644
--- a/stream/common/pom.xml
+++ b/stream/common/pom.xml
@@ -52,6 +52,14 @@
           <groupId>io.grpc</groupId>
           <artifactId>grpc-okhttp</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>io.grpc</groupId>
+          <artifactId>grpc-servlet</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>io.grpc</groupId>
+          <artifactId>grpc-servlet-jakarta</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
diff --git a/stream/tests-common/pom.xml b/stream/tests-common/pom.xml
index 6961f64c50..e5b5a5e937 100644
--- a/stream/tests-common/pom.xml
+++ b/stream/tests-common/pom.xml
@@ -44,6 +44,14 @@
           <groupId>io.grpc</groupId>
           <artifactId>grpc-okhttp</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>io.grpc</groupId>
+          <artifactId>grpc-servlet</artifactId>
+        </exclusion>
+        <exclusion>
+          <groupId>io.grpc</groupId>
+          <artifactId>grpc-servlet-jakarta</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>