CVE-2025-48924 Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs (#887)

Author: vharseko

legal/THIRDPARTYREADME.txt

@@ -71,10 +71,7 @@ Copyright: Copyright 2002-2014 The Apache Software Foundation
 Version: commons-io-2.3.jar
 Copyright: Copyright 2002-2012 The Apache Software Foundation
 
-Version: commons-lang-2.6.jar
-Copyright: Copyright 2001-2008 The Apache Software Foundation
-
-Version: commons-lang3-3.4.jar
+Version: commons-lang3-3.18.jar
 Copyright: Copyright 2001-2015 The Apache Software Foundation
 
 Version: commons-logging-1.1.3.jar

openam-authentication/openam-auth-ldap/src/main/java/com/sun/identity/authentication/modules/ldap/LDAP.java

@@ -26,7 +26,7 @@
  *
  * Portions Copyrighted 2010-2016 ForgeRock AS.
  * Portions Copyrighted 2019 Open Source Solution Technology Corporation
- * Portions Copyrighted 2024 3A Systems LLC
+ * Portions Copyrighted 2024-2025 3A Systems LLC
  */
 
 package com.sun.identity.authentication.modules.ldap;
@@ -57,7 +57,7 @@
 import javax.security.auth.callback.NameCallback;
 import javax.security.auth.callback.PasswordCallback;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.forgerock.openam.ldap.LDAPAuthUtils;
 import org.forgerock.openam.ldap.LDAPUtilException;
 import org.forgerock.openam.ldap.ModuleState;

openam-authentication/openam-auth-oauth2/src/main/java/org/forgerock/openam/authentication/modules/oauth2/OAuth.java

@@ -23,6 +23,7 @@
  * "Portions Copyrighted [year] [name of copyright owner]"
  *
  * Portions Copyrighted 2015 Nomura Research Institute, Ltd.
+ * Portions Copyrighted 2018-2025 3A Systems, LLC.
  */
 package org.forgerock.openam.authentication.modules.oauth2;
 
@@ -51,8 +52,8 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.apache.commons.lang.RandomStringUtils;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.RandomStringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.forgerock.guice.core.InjectorHolder;
 import org.forgerock.json.jose.jwt.JwtClaimsSet;
 import org.forgerock.openam.authentication.modules.common.mapping.AccountProvider;

openam-authentication/openam-auth-oauth2/src/main/java/org/forgerock/openam/authentication/modules/oauth2/profile/ESIAProfileProvider.java

@@ -7,7 +7,7 @@
 import javax.security.auth.login.LoginException;
 
 import org.apache.commons.codec.binary.Base64;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.forgerock.openam.authentication.modules.oauth2.HttpRequestContent;
 import org.forgerock.openam.authentication.modules.oauth2.OAuthConf;
 import org.forgerock.openam.authentication.modules.oauth2.OAuthUtil;

openam-authentication/openam-auth-oauth2/src/main/java/org/forgerock/openam/authentication/modules/oauth2/profile/ProfileProviderFactory.java

@@ -11,12 +11,12 @@
  * Header, with the fields enclosed by brackets [] replaced by your own identifying
  * information: "Portions copyright [year] [name of copyright owner]".
  *
- * Copyright 2018-2024 3A Systems LLC.
+ * Copyright 2018-2025 3A Systems LLC.
  */
 
 package org.forgerock.openam.authentication.modules.oauth2.profile;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.forgerock.openam.authentication.modules.oauth2.OAuthConf;
 
 public class ProfileProviderFactory {

openam-authentication/openam-auth-persistentcookie/src/main/java/org/forgerock/openam/authentication/modules/persistentcookie/PersistentCookieAuthModule.java

@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2013-2016 ForgeRock AS.
+ * Portions Copyrighted 2018-2025 3A Systems, LLC.
  */
 
 package org.forgerock.openam.authentication.modules.persistentcookie;
@@ -30,7 +31,7 @@
 import javax.security.auth.login.LoginException;
 import javax.security.auth.message.MessageInfo;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.forgerock.caf.authentication.framework.AuthenticationFramework;
 import org.forgerock.jaspi.modules.session.jwt.JwtSessionModule;
 import org.forgerock.json.jose.jwt.Jwt;

openam-authentication/openam-auth-persistentcookie/src/main/java/org/forgerock/openam/authentication/modules/persistentcookie/PersistentCookieAuthModulePostAuthenticationPlugin.java

@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2016 ForgeRock AS.
+ * Portions Copyrighted 2018-2025 3A Systems, LLC.
  */
 
 package org.forgerock.openam.authentication.modules.persistentcookie;
@@ -31,7 +32,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.forgerock.jaspi.modules.session.jwt.JwtSessionModule;
 import org.forgerock.openam.authentication.modules.common.JaspiAuthLoginModulePostAuthenticationPlugin;
 import org.forgerock.openam.utils.ClientUtils;

openam-authentication/openam-auth-recaptcha/src/main/java/org/openidentityplatform/openam/authentication/modules/recaptcha/ReCaptcha.java

@@ -1,3 +1,19 @@
+/*
+ * The contents of this file are subject to the terms of the Common Development and
+ * Distribution License (the License). You may not use this file except in compliance with the
+ * License.
+ *
+ * You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
+ * specific language governing permission and limitations under the License.
+ *
+ * When distributing Covered Software, include this CDDL Header Notice in each file and include
+ * the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
+ * Header, with the fields enclosed by brackets [] replaced by your own identifying
+ * information: "Portions copyright [year] [name of copyright owner]".
+ *
+ * Copyright 2018-2025 3A Systems LLC.
+ */
+
 package org.openidentityplatform.openam.authentication.modules.recaptcha;
 
 import java.lang.reflect.Field;
@@ -13,7 +29,7 @@
 import javax.security.auth.callback.TextOutputCallback;
 import javax.security.auth.login.LoginException;
 
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.commons.net.util.SubnetUtils;
 import org.apache.http.NameValuePair;
 import org.apache.http.client.config.RequestConfig;

openam-authentication/openam-auth-webauthn/src/main/java/org/openidentityplatform/openam/authentication/modules/webauthn/WebAuthnAuthentication.java

@@ -11,7 +11,7 @@
  * Header, with the fields enclosed by brackets [] replaced by your own identifying
  * information: "Portions Copyrighted [year] [name of copyright owner]".
  *
- * Copyright 2024 3A-Systems LLC. All rights reserved.
+ * Copyright 2019-2025 3A-Systems LLC. All rights reserved.
  */
 
 package org.openidentityplatform.openam.authentication.modules.webauthn;
@@ -36,7 +36,7 @@
 import com.webauthn4j.authenticator.Authenticator;
 import com.webauthn4j.data.PublicKeyCredentialRequestOptions;
 import com.webauthn4j.data.attestation.authenticator.AuthenticatorData;
-import org.apache.commons.lang.SerializationUtils;
+import org.apache.commons.lang3.SerializationUtils;
 
 import javax.security.auth.Subject;
 import javax.security.auth.callback.Callback;

openam-authentication/openam-auth-webauthn/src/main/java/org/openidentityplatform/openam/authentication/modules/webauthn/WebAuthnAuthenticationProcessor.java

@@ -11,7 +11,7 @@
  * Header, with the fields enclosed by brackets [] replaced by your own identifying
  * information: "Portions Copyrighted [year] [name of copyright owner]".
  *
- * Copyright 2024 3A-Systems LLC. All rights reserved.
+ * Copyright 2019-2025 3A-Systems LLC. All rights reserved.
  */
 
 package org.openidentityplatform.openam.authentication.modules.webauthn;
@@ -32,7 +32,7 @@
 import com.webauthn4j.data.client.challenge.DefaultChallenge;
 import com.webauthn4j.server.ServerProperty;
 import com.webauthn4j.validator.exception.ValidationException;
-import org.apache.commons.lang.ArrayUtils;
+import org.apache.commons.lang3.ArrayUtils;
 
 import javax.servlet.http.HttpServletRequest;
 import java.util.ArrayList;