[
https://issues.apache.org/jira/browse/SOLR-17822?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Isha Kunwar updated SOLR-17822:
-------------------------------
Description:
While reviewing our deployments, we noticed that Apache Solr ships with
`{*}commons-lang3{*}` version 3.14.0, which is affected by *CVE-2025-48924*
({color:#ff0000}High severity{color}).
Details:
- {*}CVE{*}: [*CVE-2025-48924*|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]
- *Affected Library: org.apache.commons:commons-lang3*
- {*}Detected Version{*}: 3.14.0
- *Fixed Version:* 3.18.0
- {*}Path{*}:
{color:#4c9aff}/opt/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-lang3-3.14.0.jar{color}
- {*}Detected On{*}: 9.5, 9.7, 9.8
- {*}Detection Time{*}: 2025-07-11
- {*}Issue: Uncontrolled recursion in `{*}ClassUtils.getClass(...)\{*}` may
throw a [`StackOverflowError`|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]
on very long inputs.
- {*}Impact{*}: Since `Error`s are typically not caught by applications or
libraries, this could result in application crashes.
Request:
{color:#00875a}Please let me know if this issue is known or already being
tracked, and whether an upgrade or patch is planned in upcoming Solr
releases.{color}
was:
While reviewing our deployments, we noticed that Apache Solr ships with
`{*}commons-lang3{*}` version 3.14.0, which is affected by *CVE-2025-48924*
({color:#ff0000}High severity{color}).
Details:
- {*}CVE{*}: [*CVE-2025-48924*|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]
- *Affected Library: org.apache.commons:commons-lang3*
- {*}Detected Version{*}: 3.14.0
- *Fixed Version:* 3.18.0
- {*}Path{*}:
{color:#4c9aff}/opt/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-lang3-3.14.0.jar{color}
- {*}Detected On{*}: 9.5, 9.7, 9.8
- {*}Detection Time{*}: 2025-07-11
- {*}Issue: Uncontrolled recursion in `{*}ClassUtils.getClass(...)\{*}` may
throw a [`StackOverflowError`|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]
on very long inputs.
- {*}Impact{*}: Since `Error`s are typically not caught by applications or
libraries, this could result in application crashes.
Request:
{color:#00875a}Please let me know if this issue is known or already being
tracked, and whether an upgrade or patch is planned in upcoming Solr
releases.{color}
{color:#00875a}Thanks.{color}
> Upgrade commons-lang3 to 3.18.0
> -------------------------------
>
> Key: SOLR-17822
> URL: https://issues.apache.org/jira/browse/SOLR-17822
> Project: Solr
> Issue Type: Task
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Build, security
> Affects Versions: 9.5, 9.7, 9.8.1
> Environment: Detected via internal security scan across deployed Solr
> versions: *9.5, 9.7, and 9.8.*
> Reporter: Isha Kunwar
> Priority: Major
> Labels: security
> Attachments: Screenshot 2025-07-22 101544.png
>
>
> While reviewing our deployments, we noticed that Apache Solr ships with
> `{*}commons-lang3{*}` version 3.14.0, which is affected by *CVE-2025-48924*
> ({color:#ff0000}High severity{color}).
> Details:
> - {*}CVE{*}:
> [*CVE-2025-48924*|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]
> - *Affected Library: org.apache.commons:commons-lang3*
> - {*}Detected Version{*}: 3.14.0
> - *Fixed Version:* 3.18.0
> - {*}Path{*}:
> {color:#4c9aff}/opt/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-lang3-3.14.0.jar{color}
> - {*}Detected On{*}: 9.5, 9.7, 9.8
> - {*}Detection Time{*}: 2025-07-11
> - {*}Issue: Uncontrolled recursion in `{*}ClassUtils.getClass(...)\{*}` may
> throw a
> [`StackOverflowError`|https://nvd.nist.gov/vuln/detail/CVE-2025-48924] on
> very long inputs.
> - {*}Impact{*}: Since `Error`s are typically not caught by applications or
> libraries, this could result in application crashes.
> Request:
> {color:#00875a}Please let me know if this issue is known or already being
> tracked, and whether an upgrade or patch is planned in upcoming Solr
> releases.{color}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
