From 0ab2a484a952101c8c811d25bd763ed6b4ed8772 Mon Sep 17 00:00:00 2001
From: Lantao Jin <ltjin@amazon.com>
Date: Tue, 22 Jul 2025 11:13:06 +0800
Subject: [PATCH 1/2] [Backport 2.x] CVE-2025-48924: upgrade commons-lang3 to
 3.18.0 (#3895)

Signed-off-by: Lantao Jin <ltjin@amazon.com>
---
 common/build.gradle | 2 +-
 core/build.gradle   | 2 +-
 legacy/build.gradle | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/common/build.gradle b/common/build.gradle
index a37e6ea4113..7722c64ac7e 100644
--- a/common/build.gradle
+++ b/common/build.gradle
@@ -36,7 +36,7 @@ dependencies {
     api "org.antlr:antlr4-runtime:4.7.1"
     api group: 'com.google.guava', name: 'guava', version: "${guava_version}"
     api group: 'org.apache.logging.log4j', name: 'log4j-core', version:"${versions.log4j}"
-    api group: 'org.apache.commons', name: 'commons-lang3', version: '3.12.0'
+    api group: 'org.apache.commons', name: 'commons-lang3', version: '3.18.0'
     api group: 'com.squareup.okhttp3', name: 'okhttp', version: '4.9.3'
     api group: 'org.apache.commons', name: 'commons-text', version: '1.10.0'
     implementation 'com.github.babbel:okhttp-aws-signer:1.0.2'
diff --git a/core/build.gradle b/core/build.gradle
index edd16093b45..942c33b4391 100644
--- a/core/build.gradle
+++ b/core/build.gradle
@@ -36,7 +36,7 @@ repositories {
 
 dependencies {
     api group: 'com.google.guava', name: 'guava', version: "${guava_version}"
-    api group: 'org.apache.commons', name: 'commons-lang3', version: '3.12.0'
+    api group: 'org.apache.commons', name: 'commons-lang3', version: '3.18.0'
     api group: 'org.apache.commons', name: 'commons-text', version: '1.10.0'
     api group: 'com.facebook.presto', name: 'presto-matching', version: '0.240'
     api group: 'org.apache.commons', name: 'commons-math3', version: '3.6.1'
diff --git a/legacy/build.gradle b/legacy/build.gradle
index 72829e1be79..4e09a3692d6 100644
--- a/legacy/build.gradle
+++ b/legacy/build.gradle
@@ -91,7 +91,7 @@ dependencies {
     }
     implementation group: 'com.google.guava', name: 'guava', version: "${guava_version}"
     implementation group: 'org.json', name: 'json', version:'20231013'
-    implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.12.0'
+    implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.18.0'
     implementation group: 'org.apache.commons', name: 'commons-text', version: '1.10.0'
     implementation group: 'org.opensearch', name: 'opensearch', version: "${opensearch_version}"
     // add geo module as dependency. https://github.com/opensearch-project/OpenSearch/pull/4180/.

From e369d9f0345b06885fb6cd534425f8ee6ca7a630 Mon Sep 17 00:00:00 2001
From: Lantao Jin <ltjin@amazon.com>
Date: Tue, 22 Jul 2025 11:29:23 +0800
Subject: [PATCH 2/2] enfore resolutionStrategy to 3.18.0

Signed-off-by: Lantao Jin <ltjin@amazon.com>
---
 build.gradle | 1 +
 1 file changed, 1 insertion(+)

diff --git a/build.gradle b/build.gradle
index dbe1fb0d2be..070c0b56875 100644
--- a/build.gradle
+++ b/build.gradle
@@ -122,6 +122,7 @@ allprojects {
         resolutionStrategy.force "org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.9.0"
         resolutionStrategy.force "org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.9.0"
         resolutionStrategy.force "net.bytebuddy:byte-buddy:1.14.9"
+        resolutionStrategy.force 'org.apache.commons:commons-lang3:3.18.0'
     }
 }