[
https://issues.apache.org/jira/browse/GEODE-10546?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jinwoo Hwang updated GEODE-10546:
---------------------------------
Labels: security (was: )
> Address CVE-2025-48924 in Apache Commons Lang3
> ----------------------------------------------
>
> Key: GEODE-10546
> URL: https://issues.apache.org/jira/browse/GEODE-10546
> Project: Geode
> Issue Type: Improvement
> Components: security
> Reporter: Jinwoo Hwang
> Assignee: Jinwoo Hwang
> Priority: Major
> Labels: security
> Fix For: 1.15.3
>
>
> h1. Address CVE-2025-48924 in Apache Commons Lang3
> h2. Summary
> Upgrade Apache Commons Lang3 to 3.18.0 to address CVE-2025-48924
> (Uncontrolled Recursion vulnerability)
> h2. Issue Type
> * *Type:* Security Vulnerability / Bug
> * *Priority:* High
> * *Component:* Dependencies
> * *Affects Version:* 1.15.2 (using commons-lang3 3.12.0)
> h2. Description
> h3. Vulnerability Details
> *CVE-2025-48924* is an Uncontrolled Recursion vulnerability in Apache Commons
> Lang that can cause StackOverflowError.
> * *Affected Versions:*
> ** commons-lang 2.0 to 2.6
> ** commons-lang3 3.0 to 3.17.x
> * *Fixed Version:* commons-lang3 3.18.0
> * *Severity:* High
> * *CWE-674:* Uncontrolled Recursion
> h3. Technical Impact
> The methods {{ClassUtils.getClass(...)}} can throw {{StackOverflowError}} on
> very long inputs. Because an Error is usually not handled by applications and
> libraries, a StackOverflowError could cause an application to stop
> unexpectedly.
> h3. Current State
> Apache Geode 1.15.2 currently uses {*}commons-lang3 3.12.0{*}, which is
> affected by this vulnerability.
> h2. Acceptance Criteria
> * ☐ Upgrade commons-lang3 from 3.12.0 to 3.18.0 in
> DependencyConstraints.groovy
> * ☐ Replace deprecated commons-lang3 methods with Java standard library
> equivalents:
> ** {{StringUtils.startsWith()}} → {{String.startsWith()}}
> ** {{StringUtils.containsIgnoreCase()}} → {{toLowerCase().contains()}}
> ** {{StringUtils.equals()}} → {{Objects.equals()}}
> ** {{StringUtils.removeStart()}} → {{startsWith()}} + {{substring()}}
> ** {{LineIterator.nextLine()}} → {{LineIterator.next()}}
> * ☐ Build succeeds with all quality checks (javadoc, spotlessCheck, rat,
> checkPom, pmdMain)
> * ☐ Fix test failures related to commons-lang3 3.18.0:
> ** ServerConnectionTest: Replace {{mock(MutableInt.class)}} with {{new
> MutableInt(0)}} due to Mockito incompatibility
> ** Investigate ConnectCommandTest failures (24 tests returning null error
> messages)
> ** Investigate OplogEntryIdSetTest failure (overflow behavior)
> * ☐ All unit tests pass
> * ☐ No new CVE vulnerabilities introduced
> * ☐ Documentation updated if needed
> h2. Implementation Notes
> h3. Files to Modify
> # *DependencyConstraints.groovy* (Line 37)
> {code:groovy}
> deps.put("commons-lang3.version", "3.18.0") // was 3.12.0
> {code}
> # *Production Code Changes* (commons-lang3 deprecation fixes)
> * ConnectCommand.java (Line 126)
> * QueryCommand.java
> * CreateIndexCommand.java
> * Index.java
> * FixedPartitionAttributesInfo.java
> * RegionAttributesInfo.java
> * PartitionAttributesInfo.java
> * StartServerCommandAcceptanceTest.java
> # *Test Code Changes* (commons-lang3 3.18.0 compatibility fixes)
> * ServerConnectionTest.java (Line 310): Mockito cannot mock MutableInt in
> 3.18.0
> * ConnectCommandTest.java: Investigate 24 null error message failures
> * OplogEntryIdSetTest.java: Investigate overflow behavior issue
> h3. Known Issues with commons-lang3 3.18.0
> {panel:title=Critical
> Issue|borderStyle=solid|borderColor=#cccccc|titleBGColor=#f7d6c1|bgColor=#ffffce}
> commons-lang3 3.18.0 has bytecode changes in {{MutableInt}} class that are
> incompatible with Mockito inline mocking:
> * *Error:* {{java.lang.reflect.MalformedParametersException: Invalid
> parameter name ""}}
> * *Solution:* Replace {{mock(MutableInt.class)}} with real instances like
> {{new MutableInt(0)}}{panel}
> h3. Testing Strategy
> # *Build Verification:*
> {code:bash}
> ./gradlew clean build install javadoc spotlessCheck rat checkPom
> resolveDependencies pmdMain -x test
> {code}
> # *Unit Tests:*
> {code:bash}
> ./gradlew japicmp test
> {code}
> # *Focused Test Execution:*
> {code:bash}
> ./gradlew :geode-core:test --tests ServerConnectionTest
> ./gradlew :geode-gfsh:test --tests ConnectCommandTest
> {code}
> h2. References
> * [CVE Details|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]
> * [Apache
> Advisory|https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1]
> * [OSS Security|http://www.openwall.com/lists/oss-security/2025/07/11/1]
> * [CWE-674|https://cwe.mitre.org/data/definitions/674.html]
> h2. Risk Assessment
> h4. Without Fix:
> * Application could crash unexpectedly with StackOverflowError
> * No graceful error handling for malformed inputs
> * Potential DoS vulnerability if attackers can control inputs to
> ClassUtils.getClass()
> h4. With Fix:
> * Vulnerability eliminated in commons-lang3 3.18.0
> * Improved stability and security
> * Known test compatibility issues require code changes
> h2. Dependencies / Blockers
> * Commons-lang3 3.18.0 introduces Mockito mocking incompatibilities with
> mutable classes
> * Test infrastructure may require updates for Spring Shell command parsing
> * Coordinate with other dependency upgrades (Log4j 2.25.3, commons-io
> 2.18.0, slf4j-api 1.7.36)
> h2. Labels
> {{{}security{}}}, {{{}cve{}}}, {{{}commons-lang3{}}},
> {{{}dependency-upgrade{}}}, {{high-priority}}
> h2. Estimated Effort
> * Development: 3-5 days
> * Testing: 2-3 days
> * Total: 1 sprint
> ----
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
