[PR] GEODE-10546: Address CVE-2025-48924 in Apache Commons Lang3 [geode]

Fri, 09 Jan 2026 12:42:34 -0800 


JinwooHwang opened a new pull request, #7976:
URL: https://github.com/apache/geode/pull/7976

   # GEODE-10546: Address CVE-2025-48924 in Apache Commons Lang3
   
   ## Description
   
   This PR addresses the security vulnerability CVE-2025-48924 (Uncontrolled 
Recursion in Apache Commons Lang3) by upgrading the commons-lang3 dependency 
from version 3.12.0 to 3.18.0 and replacing deprecated/removed methods with 
Java standard library equivalents.
   
   ## Security Context
   
   **CVE-2025-48924**: Uncontrolled Recursion (CWE-674) in 
`ClassUtils.getClass()` method affecting commons-lang3 versions 3.0 through 
3.17.x. The vulnerability could lead to stack overflow errors when processing 
deeply nested class hierarchies.
   
   **Severity**: Medium  
   **Fixed in**: commons-lang3 3.18.0
   
   ## Changes Made
   
   ### 1. Dependency Upgrade
   - **File**: 
`build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy`
   - **Change**: Updated commons-lang3 version from "3.12.0" to "3.18.0"
   
   ### 2. Code Refactoring (9 files)
   
   Replaced deprecated StringUtils and LineIterator methods with Java standard 
library equivalents:
   
   #### StringUtils.startsWith → String.startsWith
   - 
`geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/ConnectCommand.java`
 (line 126)
     - Added null check: `if (url != null && url.startsWith("https"))`
   
   #### StringUtils.containsIgnoreCase → String.toLowerCase().contains()
   - 
`geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/QueryCommand.java`
 (lines 87-88)
   
   #### StringUtils.removeStart → Ternary with startsWith() + substring()
   - 
`geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/commands/CreateIndexCommand.java`
 (line 172)
   - 
`geode-management/src/main/java/org/apache/geode/management/configuration/Index.java`
 (line 91)
   
   #### StringUtils.equals → Objects.equals
   - 
`geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/FixedPartitionAttributesInfo.java`
 (line 40)
   - 
`geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/RegionAttributesInfo.java`
 (line 367)
   - 
`geode-gfsh/src/main/java/org/apache/geode/management/internal/cli/domain/PartitionAttributesInfo.java`
 (lines 155-157)
   - Added `import java.util.Objects` where needed
   
   #### LineIterator.nextLine() → LineIterator.next()
   - 
`geode-assembly/src/acceptanceTest/java/org/apache/geode/management/internal/cli/commands/StartServerCommandAcceptanceTest.java`
 (lines 106, 155)
   
   #### Mockito Compatibility Fix
   - 
`geode-core/src/test/java/org/apache/geode/internal/cache/ServerConnectionTest.java`
 (line 310)
   - Changed `mock(MutableInt.class)` to `new MutableInt(0)` due to bytecode 
changes in commons-lang3 3.18.0
   
   ## Testing
   
   ### Quality Checks ✅
   All quality checks pass successfully:
   - `japicmp` - API compatibility verification
   - `javadoc` - Documentation generation
   - `spotlessCheck` - Code formatting validation
   - `rat` - License header validation
   - `checkPom` - Maven POM validation
   - `resolveDependencies` - Dependency resolution
   - `pmdMain` - Static code analysis
   
   ### Unit Tests ✅
   - **ConnectCommandTest**: All 24 tests pass (previously failing due to 
NullPointerException)
   - **OplogEntryIdSetTest**: Passes when run individually (flaky test behavior 
is pre-existing, not introduced by this change)
   - All other test suites pass
   
   ### Build Verification ✅
   ```bash
   ./gradlew clean build -x test
   ./gradlew japicmp install javadoc spotlessCheck rat checkPom 
resolveDependencies pmdMain -x test
   ```
   
   ## Breaking Changes
   
   None. All changes maintain backward compatibility and use standard Java APIs.
   
   ## Notes
   
   - The upgrade to commons-lang3 3.18.0 introduces bytecode changes that make 
`MutableInt` incompatible with Mockito's mock functionality, requiring the use 
of actual instances in tests.
   - All deprecated StringUtils methods have been replaced with equivalent Java 
standard library methods, reducing dependency on Apache Commons Lang.
   - Code formatting was adjusted to comply with Spotless requirements (proper 
line breaks in ternary operators).
   
   ## Related Issues
   
   - JIRA: [GEODE-10546](https://issues.apache.org/jira/browse/GEODE-10546)
   - CVE: [CVE-2025-48924](https://nvd.nist.gov/vuln/detail/CVE-2025-48924)
   
   ## Checklist
   
   - [x] Security vulnerability addressed
   - [x] Dependency upgraded to patched version
   - [x] Deprecated methods replaced with standard alternatives
   - [x] All quality checks pass
   - [x] Unit tests updated and passing
   - [x] Code formatting compliant
   - [x] No breaking changes introduced
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to