Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-7306

Upgrade commons-lang3 to 3.18 (relates to CVE-2025-48924)

XMLWordPrintable

      https://github.com/apache/commons-lang/compare/rel/commons-lang-3.17.0...rel/commons-lang-3.18.0

      Besides elytron use in core, in full WF this also affects the messaging-activemq and webservices subsystems, so ehugonne1@redhat.com and ropalka should have input. There are over 600 commits in the diff ^^^, so it's not trivial.

      This fixes https://nvd.nist.gov/vuln/detail/CVE-2025-48924. That seems like a really minor CVE though, and I see no indication of our code (or deps) calling the ClassUtils.getClass(...) methods that were hardened. So, while this will eliminate WF getting flagged by scanners for the CVE, we're not IMHO actually affected by the CVE and the scanner issue shouldn't force an upgrade we're otherwise uncomfortable with.

              bstansbe@redhat.com Brian Stansberry
              bstansbe@redhat.com Brian Stansberry
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: