Update org.dom4j in kettle-core and kettle-engine (v2.1.1 has critical vulnerability)

[mariusssi]

dom4j is still version 2.1.1 in both the engine and core packages. And this has a critical CVE, CVE-2020-10683 , we need to fix.
Could you please upgrade to 2.1.3 or 2.1.4 ?
Actually in pom there's no explicit version set when included, so I couldn't find where it comes from.
I did try to force the version with reuploading the changed poms and jars of core+engine in my own repo, but it didn't work, I still got 2.1.1 in it.

Affects latest 9.3 and 9.5 too: 9.3.0.6-786, 9.5.2.0-273

[mariusssi]

If upgrade is not possible, there is a mitigation mentioned in that CVE page, I believe like this: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
Please clarify if this is already done, this file looks promising. Comes from PPP-3506

[smmribeiro]

Thank you @mariusssi.
I'm closing this issue as the dom4j upgrade from 2.1.1 to 2.1.4 was done under PPP-4538. This change was made available as part of our 10.1 release.