RUN-3601: CVE-2025-48924 Fix

fdevans · fdevans · commit e2cfdf8c385b · 2025-10-07T15:01:11.000-07:00
Mitigates CVE-2025-48924 by upgrading commons-lang to commons-lang3 3.18.0. - Added commons-lang3 3.18.0 dependency to libs.versions.toml - Configured dependency substitution to replace vulnerable commons-lang with secure commons-lang3 - Ensures all transitive dependencies use the secure version
diff --git a/build.gradle b/build.gradle
@@ -65,6 +65,9 @@ dependencies {
     implementation libs.bundles.awsSdk
     implementation libs.jacksonDatabind
     implementation libs.commonsBeanutils
+    
+    // Add secure commons-lang3 to provide alternative to vulnerable commons-lang 2.6
+    implementation(libs.commonsLang3)
 
     pluginLibs(libs.awsSdkEc2) {
         exclude group: "org.apache.httpcomponents", module: "httpclient"
@@ -80,6 +83,15 @@ dependencies {
     testImplementation libs.bundles.testLibs
 }
 
+configurations.all {
+    resolutionStrategy {
+        // Replace vulnerable commons-lang with secure commons-lang3
+        dependencySubstitution {
+            substitute module('commons-lang:commons-lang') using module("org.apache.commons:commons-lang3:${libs.versions.commonsLang3.get()}")
+        }
+    }
+}
+
 // task to copy plugin libs to output/lib dir
 task copyToLib(type: Copy) {
     into "$buildDir/output/lib"
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -10,6 +10,8 @@ objenesis = "3.4"
 rundeckCore = "5.14.0-rc1-20250722"
 slf4j = "1.7.36"
 spock = "2.3-groovy-3.0"
+# Security overrides for transitive dependencies
+commonsLang3 = "3.18.0"
 
 [libraries]
 slf4jApi = { group = "org.slf4j", name = "slf4j-api", version.ref = "slf4j" }
@@ -23,6 +25,7 @@ groovyAll = { group = "org.codehaus.groovy", name = "groovy-all", version.ref =
 spockCore = { group = "org.spockframework", name = "spock-core", version.ref = "spock" }
 cglibNodep = { group = "cglib", name = "cglib-nodep", version.ref = "cglib" }
 objenesis = { group = "org.objenesis", name = "objenesis", version.ref = "objenesis" }
+commonsLang3 = { module = "org.apache.commons:commons-lang3", version.ref = "commonsLang3" }
 
 [bundles]
 awsSdk = ["awsSdkCore", "awsSdkSts"]
