[
https://issues.apache.org/jira/browse/SOLR-17822?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18012053#comment-18012053
]
Piotr Karwasz commented on SOLR-17822:
--------------------------------------
Hi [~ishakunwar],
It took a bit of time (including a detour through Apache Commons, where we also
published related VEX statements), but I’ve now created a [VEX statement for
CVE-2025-48924|https://github.com/apache/solr-site/pull/152].
I'm still refining how to clearly and verifiably communicate
*non-exploitability*, so I’d really appreciate your feedback on the PR,
particularly on the explanation. Do you think it should be more structured? Is
it easy to follow and validate the reasoning?
The VEX file currently includes only brief summaries of the explanation; I'm
working on lifting that limitation.
> Upgrade commons-lang3 to 3.18.0
> -------------------------------
>
> Key: SOLR-17822
> URL: https://issues.apache.org/jira/browse/SOLR-17822
> Project: Solr
> Issue Type: Task
> Components: Build, security
> Affects Versions: 9.5, 9.7, 9.8.1
> Environment: Detected via internal security scan across deployed Solr
> versions: *9.5, 9.7, and 9.8.*
> Reporter: Isha Kunwar
> Priority: Major
> Labels: pull-request-available, security
> Attachments: Screenshot 2025-07-22 101544.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> While reviewing our deployments, we noticed that Apache Solr ships with
> `{*}commons-lang3{*}` version 3.14.0, which is affected by
> *CVE-2025-48924* ({color:#ff0000}High severity{color}).
> Details:
> - {*}CVE{*}:
> [*CVE-2025-48924*|https://nvd.nist.gov/vuln/detail/CVE-2025-48924]
> - *Affected Library:* {color:#ff8b00}org.apache.commons:commons-lang3{color}
> - {*}Detected Version{*}: 3.14.0
> - *Fixed Version:* 3.18.0
> - {*}Path{*}:
> {color:#4c9aff}/opt/solr/server/solr-webapp/webapp/WEB-INF/lib/commons-lang3-3.14.0.jar{color}
> - {*}Detected On{*}: 9.5, 9.7, 9.8
> - {*}Detection Time{*}: 2025-07-11
> - {*}Issue: Uncontrolled recursion in `{*}ClassUtils.getClass(...)\{*}` may
> throw a
> [`StackOverflowError`|https://nvd.nist.gov/vuln/detail/CVE-2025-48924] on
> very long inputs.
> - {*}Impact{*}: Since `Error`s are typically not caught by applications or
> libraries, this could result in application crashes.
> Request:
> {color:#00875a}Please let me know if this issue is known or already being
> tracked, and whether an upgrade or patch is planned in upcoming Solr
> releases.{color}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
