Skip to content

Fix vulnerability issue in commons-beanutils to address CVE-2025-48734#25235

Merged
ZacBlanco merged 1 commit intoprestodb:masterfrom
ShahimSharafudeen:fix_cve_commons_beanutils
Jun 4, 2025
Merged

Fix vulnerability issue in commons-beanutils to address CVE-2025-48734#25235
ZacBlanco merged 1 commit intoprestodb:masterfrom
ShahimSharafudeen:fix_cve_commons_beanutils

Conversation

@ShahimSharafudeen
Copy link
Contributor

@ShahimSharafudeen ShahimSharafudeen commented Jun 2, 2025
edited by ZacBlanco
Loading

Description

Fix the vulnerability issue in commons-beanutils to address CVE-2025-48734

To fix this issue, the commons-beanutils dependency was upgraded from version 1.9.4 to 1.11.0.

Motivation and Context

These dependency upgrade was implemented to mitigate CVEs present in previous version.

Impact

Test Plan

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Upgrade commons-beanutils dependency to address 'CVE-2025-48734  <https://github.com/advisories/GHSA-wxr5-93ph-8wr9>'

@prestodb-ci prestodb-ci added the from:IBM PR from IBM label Jun 2, 2025
@ShahimSharafudeen ShahimSharafudeen marked this pull request as ready for review June 2, 2025 14:43
@ShahimSharafudeen ShahimSharafudeen requested a review from a team as a code owner June 2, 2025 14:43
@prestodb-ci prestodb-ci requested review from a team, infvg and namya28 and removed request for a team June 2, 2025 14:43
@ZacBlanco
Copy link
Contributor

ZacBlanco commented Jun 2, 2025

Please update the release note section to Security Changes

ZacBlanco
ZacBlanco requested changes Jun 2, 2025
View reviewed changes
presto-product-tests/pom.xml Outdated
<exclusions>
<exclusion>
<groupId>commons-logging</groupId>
<artifactId>commons-logging</artifactId>
Copy link
Contributor

@ZacBlanco ZacBlanco Jun 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does beanutils use commons-logging? Can we also look into updating tempto in that case too?

Copy link
Contributor

@ZacBlanco ZacBlanco Jun 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, rather than exclude, can we pull up the dependency here?

Copy link
Contributor Author

@ShahimSharafudeen ShahimSharafudeen Jun 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. commons-validator and commons-beanutils use different versions of commons-logging, so it was updated to the higher version to avoid conflicts

@ShahimSharafudeen ShahimSharafudeen force-pushed the fix_cve_commons_beanutils branch from 56c99a5 to 599835d Compare June 2, 2025 18:03
@ShahimSharafudeen ShahimSharafudeen force-pushed the fix_cve_commons_beanutils branch from 599835d to 71b31da Compare June 4, 2025 06:36
@ZacBlanco ZacBlanco merged commit c08c6ef into prestodb:master Jun 4, 2025
97 checks passed
@unidevel unidevel mentioned this pull request Jun 19, 2025
Closed
6 tasks
This was referenced Jul 4, 2025
Merged
Closed
Closed
This was referenced Jul 24, 2025
Merged
Merged
@prestodb-ci prestodb-ci mentioned this pull request Jul 28, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ZacBlanco ZacBlanco ZacBlanco approved these changes

@infvg infvg Awaiting requested review from infvg infvg was automatically assigned from prestodb/ibm-reviewers

@namya28 namya28 Awaiting requested review from namya28 namya28 was automatically assigned from prestodb/ibm-reviewers

Assignees

No one assigned

Labels

from:IBM PR from IBM

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ShahimSharafudeen @ZacBlanco @prestodb-ci