[
https://issues.apache.org/jira/browse/SOLR-17822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18008938#comment-18008938
]
Piotr Karwasz commented on SOLR-17822:
--------------------------------------
Hi [~ishakunwar],
Thanks for raising this. I’m tracking the issue and will propose a
[Vulnerability Exploitability eXchange (VEX)
statement|https://solr.staged.apache.org/security.html#cve-reports-for-apache-solr-dependencies]
shortly.
This is a low (per Apache Commons) to medium (CVSS 5.3 per CISA) severity
vulnerability that appears to be *very unlikely* to be exploitable in Solr.
Based on preliminary analysis, the affected `{{ClassUtils}}` method is *not
reachable* in Apache Solr codebase — though I’ll double-check and publish a
formal VEX statement by the end of the week.
For awareness: the current *9.9.0 RC1* does include version `{{3.15.0}}` of
`{{commons-lang3}}`, but given the low likelihood of impact, I don’t believe
it's necessary to block the release or request an RC2 at this stage. Of course,
that decision rests with the release manager, and you're welcome to raise any
concerns or feedback on the [vote
thread|https://lists.apache.org/thread/dc0qtx30x7x3xggc021ml8wnfgfcyrvh].
Piotr
PS: Would you mind assigning this JIRA ticket to me?
> Upgrade commons-lang3 to 3.18.0
> -------------------------------
>
> Key: SOLR-17822
> URL: https://issues.apache.org/jira/browse/SOLR-17822
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Build, security
> Affects Versions: 9.5, 9.7, 9.8.1
> Environment: Detected via internal security scan across deployed Solr
> versions: *9.5, 9.7, and 9.8.*
> Reporter: Isha Kunwar
> Priority: Major
> Labels: security
> Attachments: Screenshot 2025-07-22 101544.png
>
>
> While reviewing our deployments, we noticed that Apache Solr ships with
> `{*}commons-lang3{*}` version 3.14.0, which is affected by
> *CVE-2025-48924* ({color:#ff0000}High severity{color}).
> Details:
> - {*}CVE{*}:
> [*CVE-2025-48924*|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]
> - *Affected Library:* {color:#ff8b00}org.apache.commons:commons-lang3{color}
> - {*}Detected Version{*}: 3.14.0
> - *Fixed Version:* 3.18.0
> - {*}Path{*}:
> {color:#4c9aff}/opt/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-lang3-3.14.0.jar{color}
> - {*}Detected On{*}: 9.5, 9.7, 9.8
> - {*}Detection Time{*}: 2025-07-11
> - {*}Issue: Uncontrolled recursion in `{*}ClassUtils.getClass(...)\{*}` may
> throw a
> [`StackOverflowError`|https://nvd.nist.gov/vuln/detail/CVE-2025-48924] on
> very long inputs.
> - {*}Impact{*}: Since `Error`s are typically not caught by applications or
> libraries, this could result in application crashes.
> Request:
> {color:#00875a}Please let me know if this issue is known or already being
> tracked, and whether an upgrade or patch is planned in upcoming Solr
> releases.{color}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
