Update PostgreSQL JDBC Driver to 42.2.25 due to 3rd-party vulnerability issue CVE-2022-21724

Current Situation

• JS7 (JobScheduler branch 2.x) Agent and JOC Cockpit Web Services ship with the PostgreSQL JDBC Driver 42.2.19.
• JS1 (JobScheduler branch 1.x) Master, Agent and JOC Cockpit Web Services ship with PostgreSQL JDBC Driver 9.4.1209.
• A vulnerability communicated by a GitHub security advisory affects this version,
  • see https://github.com/advisories/GHSA-v7wg-cpwc-24m4 for more information on the impact.
  • a CVE-ID has been registered, however, at the time of writing the issue description is not publicly available.
    • see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21724 for updates on the CVE status.
• PostgreSQL JDBC Drivers are available from https://jdbc.postgresql.org/download.html
• Risk Mitigation
  • The issue is rated high by CVE and GHSA standard and medium by the producers of the driver. 
  • We rate the impact to our software as low as the attack scenario described works only in an environment where the exploit can only get active if additional supporting libraries are already present.
  • We still rate the attack scenario valid and dangerous as it became common practice for attacks to first infiltrate a system, analyze, download additional software or libraries and get active at a later time. 

Risk Mitigation

• Download the PostgreSQL JDBC Driver 42.2.25 from https://jdbc.postgresql.org/download.html
• JS7 (branch 2.x)
  • JOC Cockpit and the Agent make use of the PostgreSQL JDBC Driver.
  • Installation On Premises
    • JOC Cockpit 
      • stop JOC Cockpit
      • remove available postgresql*.jar files from the JETTY_BASE/lib/ext/joc directory
      • copy postgresql-42.2.25.jar to the JETTY_BASE/lib/ext/joc directory
      • start JOC Cockpit
      • as an alternative users can reinstall JOC Cockpit and specify the JDBC Driver from postgresql-42.2.25.jar
    • Agent
      • stop the Agent
      • remove available postgresql*.jar files from the SCHEDULER_HOME/lib/jdbc directory
      • add postgresql-42.2.25.jar to the SCHEDULER_HOME/lib/jdbc directory
      • start the Agent
  • Installation for Docker Containers
    • stop JOC Cockpit
    • add postgresql-42.2.25.jar to the ./config/lib directory
    • start JOC Cockpit
• JS1 (branch 1.x)
  • JOC Cockpit, Master and Agent make use of the PostgreSQL JDBC Driver
  • Installation On Premises
    • JOC Cockpit
      • stop JOC Cockpit
      • remove available postgresql*.jar files from the JETTY_BASE/lib/ext/joc directory
      • add postgresql-42.2.25.jar to the JETTY_BASE/lib/ext/joc directory
      • start JOC Cockpit
      • as an alternative users can reinstall JOC Cockpit and specify the JDBC Driver from postgresql-42.2.25.jar
    • Master
      • stop the Master
      • remove available postgresql*.jar files from the SCHEDULER_HOME/lib/jdbc directory
      • add postgresql-42.2.25.jar to the SCHEDULER_HOME/lib/jdbc directory
      • start the Master
      • as an alternative users can reinstall JOC Cockpit and specify the JDBC Driver from postgresql-42.2.25.jar
    • Agent
      • stop the Agent
      • remove available postgresql*.jar files from the SCHEDULER_HOME/lib/jdbc directory
      • add postgresql-42.2.25.jar to the SCHEDULER_HOME/lib/jdbc directory
      • start the Agent

Desired Behavior

• Due to a vulnerability Issue of older postgresql driver releases JS7 and Job Scheduler 1 should use the current version 42.2.25 that fixes the issue.