[
https://issues.apache.org/jira/browse/GEODE-10546?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jinwoo Hwang updated GEODE-10546:
---------------------------------
Description:
h1. Address CVE-2025-48924 in Apache Commons Lang3
h2. Summary
Upgrade Apache Commons Lang3 to 3.18.0 to address CVE-2025-48924 (Uncontrolled
Recursion vulnerability)
h2. Issue Type
* *Type:* Security Vulnerability / Bug
* *Priority:* High
* *Component:* Dependencies
* *Affects Version:* 1.15.2 (using commons-lang3 3.12.0)
h2. Description
h3. Vulnerability Details
*CVE-2025-48924* is an Uncontrolled Recursion vulnerability in Apache Commons
Lang that can cause StackOverflowError.
* *Affected Versions:*
** commons-lang 2.0 to 2.6
** commons-lang3 3.0 to 3.17.x
* *Fixed Version:* commons-lang3 3.18.0
* *Severity:* High
* *CWE-674:* Uncontrolled Recursion
h3. Technical Impact
The methods {{ClassUtils.getClass(...)}} can throw {{StackOverflowError}} on
very long inputs. Because an Error is usually not handled by applications and
libraries, a StackOverflowError could cause an application to stop unexpectedly.
h3. Current State
Apache Geode 1.15.2 currently uses {*}commons-lang3 3.12.0{*}, which is
affected by this vulnerability.
h2. Acceptance Criteria
* Upgrade commons-lang3 from 3.12.0 to 3.18.0 in DependencyConstraints.groovy
* Replace deprecated commons-lang3 methods with Java standard library
equivalents:
** {{StringUtils.startsWith()}} → {{String.startsWith()}}
** {{StringUtils.containsIgnoreCase()}} → {{toLowerCase().contains()}}
** {{StringUtils.equals()}} → {{Objects.equals()}}
** {{StringUtils.removeStart()}} → {{startsWith()}} + {{substring()}}
** {{LineIterator.nextLine()}} → {{LineIterator.next()}}
* Build succeeds with all quality checks (javadoc, spotlessCheck, rat,
checkPom, pmdMain)
* Fix test failures related to commons-lang3 3.18.0:
** ServerConnectionTest: Replace {{mock(MutableInt.class)}} with {{new
MutableInt(0)}} due to Mockito incompatibility
** Investigate ConnectCommandTest failures (24 tests returning null error
messages)
** Investigate OplogEntryIdSetTest failure (overflow behavior)
* All unit tests pass
* No new CVE vulnerabilities introduced
* Documentation updated if needed
h2. Implementation Notes
h3. Files to Modify
*DependencyConstraints.groovy* (Line 37)
{code:groovy}
deps.put("commons-lang3.version", "3.18.0") // was 3.12.0
{code}
*Production Code Changes* (commons-lang3 deprecation fixes)
* ConnectCommand.java (Line 126)
* QueryCommand.java
* CreateIndexCommand.java
* Index.java
* FixedPartitionAttributesInfo.java
* RegionAttributesInfo.java
* PartitionAttributesInfo.java
* StartServerCommandAcceptanceTest.java
*Test Code Changes* (commons-lang3 3.18.0 compatibility fixes)
* ServerConnectionTest.java (Line 310): Mockito cannot mock MutableInt in
3.18.0
* ConnectCommandTest.java: Investigate 24 null error message failures
* OplogEntryIdSetTest.java: Investigate overflow behavior issue
h3. Known Issues with commons-lang3 3.18.0
{panel:title=Critical
Issue|borderStyle=solid|borderColor=#cccccc|titleBGColor=#f7d6c1|bgColor=#ffffce}
commons-lang3 3.18.0 has bytecode changes in {{MutableInt}} class that are
incompatible with Mockito inline mocking:
* *Error:* {{java.lang.reflect.MalformedParametersException: Invalid parameter
name ""}}
* *Solution:* Replace {{mock(MutableInt.class)}} with real instances like
{{new MutableInt(0)}}{panel}
h3. Testing Strategy
*Build Verification:*
{code:bash}
./gradlew clean build install javadoc spotlessCheck rat checkPom
resolveDependencies pmdMain -x test
{code}
*Unit Tests:*
{code:bash}
./gradlew japicmp test
{code}
*Focused Test Execution:*
{code:bash}
./gradlew :geode-core:test --tests ServerConnectionTest
./gradlew :geode-gfsh:test --tests ConnectCommandTest
{code}
h2. References
* [CVE Details|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]
* [Apache
Advisory|https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1]
* [OSS Security|http://www.openwall.com/lists/oss-security/2025/07/11/1]
* [CWE-674|https://cwe.mitre.org/data/definitions/674.html]
h2. Risk Assessment
h4. Without Fix:
* Application could crash unexpectedly with StackOverflowError
* No graceful error handling for malformed inputs
* Potential DoS vulnerability if attackers can control inputs to
ClassUtils.getClass()
h4. With Fix:
* Vulnerability eliminated in commons-lang3 3.18.0
* Improved stability and security
* Known test compatibility issues require code changes
h2. Dependencies / Blockers
* Commons-lang3 3.18.0 introduces Mockito mocking incompatibilities with
mutable classes
* Test infrastructure may require updates for Spring Shell command parsing
* Coordinate with other dependency upgrades (Log4j 2.25.3, commons-io 2.18.0,
slf4j-api 1.7.36)
h2. Estimated Effort
* Development: 1-2 weeks
* Testing: 2-3 days
* Total: 1 sprint
----
was:
h1. Address CVE-2025-48924 in Apache Commons Lang3
h2. Summary
Upgrade Apache Commons Lang3 to 3.18.0 to address CVE-2025-48924 (Uncontrolled
Recursion vulnerability)
h2. Issue Type
* *Type:* Security Vulnerability / Bug
* *Priority:* High
* *Component:* Dependencies
* *Affects Version:* 1.15.2 (using commons-lang3 3.12.0)
h2. Description
h3. Vulnerability Details
*CVE-2025-48924* is an Uncontrolled Recursion vulnerability in Apache Commons
Lang that can cause StackOverflowError.
* *Affected Versions:*
** commons-lang 2.0 to 2.6
** commons-lang3 3.0 to 3.17.x
* *Fixed Version:* commons-lang3 3.18.0
* *Severity:* High
* *CWE-674:* Uncontrolled Recursion
h3. Technical Impact
The methods {{ClassUtils.getClass(...)}} can throw {{StackOverflowError}} on
very long inputs. Because an Error is usually not handled by applications and
libraries, a StackOverflowError could cause an application to stop unexpectedly.
h3. Current State
Apache Geode 1.15.2 currently uses {*}commons-lang3 3.12.0{*}, which is
affected by this vulnerability.
h2. Acceptance Criteria
* Upgrade commons-lang3 from 3.12.0 to 3.18.0 in DependencyConstraints.groovy
* Replace deprecated commons-lang3 methods with Java standard library
equivalents:
** {{StringUtils.startsWith()}} → {{String.startsWith()}}
** {{StringUtils.containsIgnoreCase()}} → {{toLowerCase().contains()}}
** {{StringUtils.equals()}} → {{Objects.equals()}}
** {{StringUtils.removeStart()}} → {{startsWith()}} + {{substring()}}
** {{LineIterator.nextLine()}} → {{LineIterator.next()}}
* Build succeeds with all quality checks (javadoc, spotlessCheck, rat,
checkPom, pmdMain)
* Fix test failures related to commons-lang3 3.18.0:
** ServerConnectionTest: Replace {{mock(MutableInt.class)}} with {{new
MutableInt(0)}} due to Mockito incompatibility
** Investigate ConnectCommandTest failures (24 tests returning null error
messages)
** Investigate OplogEntryIdSetTest failure (overflow behavior)
* All unit tests pass
* No new CVE vulnerabilities introduced
* Documentation updated if needed
h2. Implementation Notes
h3. Files to Modify
*DependencyConstraints.groovy* (Line 37)
{code:groovy}
deps.put("commons-lang3.version", "3.18.0") // was 3.12.0
{code}
*Production Code Changes* (commons-lang3 deprecation fixes)
* ConnectCommand.java (Line 126)
* QueryCommand.java
* CreateIndexCommand.java
* Index.java
* FixedPartitionAttributesInfo.java
* RegionAttributesInfo.java
* PartitionAttributesInfo.java
* StartServerCommandAcceptanceTest.java
*Test Code Changes* (commons-lang3 3.18.0 compatibility fixes)
* ServerConnectionTest.java (Line 310): Mockito cannot mock MutableInt in
3.18.0
* ConnectCommandTest.java: Investigate 24 null error message failures
* OplogEntryIdSetTest.java: Investigate overflow behavior issue
h3. Known Issues with commons-lang3 3.18.0
{panel:title=Critical
Issue|borderStyle=solid|borderColor=#cccccc|titleBGColor=#f7d6c1|bgColor=#ffffce}
commons-lang3 3.18.0 has bytecode changes in {{MutableInt}} class that are
incompatible with Mockito inline mocking:
* *Error:* {{java.lang.reflect.MalformedParametersException: Invalid parameter
name ""}}
* *Solution:* Replace {{mock(MutableInt.class)}} with real instances like
{{new MutableInt(0)}}{panel}
h3. Testing Strategy
*Build Verification:*
{code:bash}
./gradlew clean build install javadoc spotlessCheck rat checkPom
resolveDependencies pmdMain -x test
{code}
*Unit Tests:*
{code:bash}
./gradlew japicmp test
{code}
*Focused Test Execution:*
{code:bash}
./gradlew :geode-core:test --tests ServerConnectionTest
./gradlew :geode-gfsh:test --tests ConnectCommandTest
{code}
h2. References
* [CVE Details|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]
* [Apache
Advisory|https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1]
* [OSS Security|http://www.openwall.com/lists/oss-security/2025/07/11/1]
* [CWE-674|https://cwe.mitre.org/data/definitions/674.html]
h2. Risk Assessment
h4. Without Fix:
* Application could crash unexpectedly with StackOverflowError
* No graceful error handling for malformed inputs
* Potential DoS vulnerability if attackers can control inputs to
ClassUtils.getClass()
h4. With Fix:
* Vulnerability eliminated in commons-lang3 3.18.0
* Improved stability and security
* Known test compatibility issues require code changes
h2. Dependencies / Blockers
* Commons-lang3 3.18.0 introduces Mockito mocking incompatibilities with
mutable classes
* Test infrastructure may require updates for Spring Shell command parsing
* Coordinate with other dependency upgrades (Log4j 2.25.3, commons-io 2.18.0,
slf4j-api 1.7.36)
h2. Estimated Effort
* Development: 3-5 days
* Testing: 2-3 days
* Total: 1 sprint
----
> Address CVE-2025-48924 in Apache Commons Lang3
> ----------------------------------------------
>
> Key: GEODE-10546
> URL: https://issues.apache.org/jira/browse/GEODE-10546
> Project: Geode
> Issue Type: Improvement
> Reporter: Jinwoo Hwang
> Assignee: Jinwoo Hwang
> Priority: Major
> Labels: security
> Fix For: 1.15.3
>
>
> h1. Address CVE-2025-48924 in Apache Commons Lang3
> h2. Summary
> Upgrade Apache Commons Lang3 to 3.18.0 to address CVE-2025-48924
> (Uncontrolled Recursion vulnerability)
> h2. Issue Type
> * *Type:* Security Vulnerability / Bug
> * *Priority:* High
> * *Component:* Dependencies
> * *Affects Version:* 1.15.2 (using commons-lang3 3.12.0)
> h2. Description
> h3. Vulnerability Details
> *CVE-2025-48924* is an Uncontrolled Recursion vulnerability in Apache Commons
> Lang that can cause StackOverflowError.
> * *Affected Versions:*
> ** commons-lang 2.0 to 2.6
> ** commons-lang3 3.0 to 3.17.x
> * *Fixed Version:* commons-lang3 3.18.0
> * *Severity:* High
> * *CWE-674:* Uncontrolled Recursion
> h3. Technical Impact
> The methods {{ClassUtils.getClass(...)}} can throw {{StackOverflowError}} on
> very long inputs. Because an Error is usually not handled by applications and
> libraries, a StackOverflowError could cause an application to stop
> unexpectedly.
> h3. Current State
> Apache Geode 1.15.2 currently uses {*}commons-lang3 3.12.0{*}, which is
> affected by this vulnerability.
> h2. Acceptance Criteria
> * Upgrade commons-lang3 from 3.12.0 to 3.18.0 in DependencyConstraints.groovy
> * Replace deprecated commons-lang3 methods with Java standard library
> equivalents:
> ** {{StringUtils.startsWith()}} → {{String.startsWith()}}
> ** {{StringUtils.containsIgnoreCase()}} → {{toLowerCase().contains()}}
> ** {{StringUtils.equals()}} → {{Objects.equals()}}
> ** {{StringUtils.removeStart()}} → {{startsWith()}} + {{substring()}}
> ** {{LineIterator.nextLine()}} → {{LineIterator.next()}}
> * Build succeeds with all quality checks (javadoc, spotlessCheck, rat,
> checkPom, pmdMain)
> * Fix test failures related to commons-lang3 3.18.0:
> ** ServerConnectionTest: Replace {{mock(MutableInt.class)}} with {{new
> MutableInt(0)}} due to Mockito incompatibility
> ** Investigate ConnectCommandTest failures (24 tests returning null error
> messages)
> ** Investigate OplogEntryIdSetTest failure (overflow behavior)
> * All unit tests pass
> * No new CVE vulnerabilities introduced
> * Documentation updated if needed
> h2. Implementation Notes
> h3. Files to Modify
> *DependencyConstraints.groovy* (Line 37)
> {code:groovy}
> deps.put("commons-lang3.version", "3.18.0") // was 3.12.0
> {code}
>
> *Production Code Changes* (commons-lang3 deprecation fixes)
> * ConnectCommand.java (Line 126)
> * QueryCommand.java
> * CreateIndexCommand.java
> * Index.java
> * FixedPartitionAttributesInfo.java
> * RegionAttributesInfo.java
> * PartitionAttributesInfo.java
> * StartServerCommandAcceptanceTest.java
> *Test Code Changes* (commons-lang3 3.18.0 compatibility fixes)
> * ServerConnectionTest.java (Line 310): Mockito cannot mock MutableInt in
> 3.18.0
> * ConnectCommandTest.java: Investigate 24 null error message failures
> * OplogEntryIdSetTest.java: Investigate overflow behavior issue
> h3. Known Issues with commons-lang3 3.18.0
> {panel:title=Critical
> Issue|borderStyle=solid|borderColor=#cccccc|titleBGColor=#f7d6c1|bgColor=#ffffce}
> commons-lang3 3.18.0 has bytecode changes in {{MutableInt}} class that are
> incompatible with Mockito inline mocking:
> * *Error:* {{java.lang.reflect.MalformedParametersException: Invalid
> parameter name ""}}
> * *Solution:* Replace {{mock(MutableInt.class)}} with real instances like
> {{new MutableInt(0)}}{panel}
> h3. Testing Strategy
> *Build Verification:*
> {code:bash}
> ./gradlew clean build install javadoc spotlessCheck rat checkPom
> resolveDependencies pmdMain -x test
> {code}
> *Unit Tests:*
> {code:bash}
> ./gradlew japicmp test
> {code}
> *Focused Test Execution:*
> {code:bash}
> ./gradlew :geode-core:test --tests ServerConnectionTest
> ./gradlew :geode-gfsh:test --tests ConnectCommandTest
> {code}
> h2. References
> * [CVE Details|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]
> * [Apache
> Advisory|https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1]
> * [OSS Security|http://www.openwall.com/lists/oss-security/2025/07/11/1]
> * [CWE-674|https://cwe.mitre.org/data/definitions/674.html]
> h2. Risk Assessment
> h4. Without Fix:
> * Application could crash unexpectedly with StackOverflowError
> * No graceful error handling for malformed inputs
> * Potential DoS vulnerability if attackers can control inputs to
> ClassUtils.getClass()
> h4. With Fix:
> * Vulnerability eliminated in commons-lang3 3.18.0
> * Improved stability and security
> * Known test compatibility issues require code changes
> h2. Dependencies / Blockers
> * Commons-lang3 3.18.0 introduces Mockito mocking incompatibilities with
> mutable classes
> * Test infrastructure may require updates for Spring Shell command parsing
> * Coordinate with other dependency upgrades (Log4j 2.25.3, commons-io
> 2.18.0, slf4j-api 1.7.36)
> h2. Estimated Effort
> * Development: 1-2 weeks
> * Testing: 2-3 days
> * Total: 1 sprint
> ----
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
