Fix CVEs related to `Apache Commons-lang3` and `Netty` #3100

VenkatasivareddyTR · 2025-11-05T09:40:37Z

Issue #, if available:
#2970
#2569

Description of changes:
Problem:
Addressed below CVE

CVE-2020-15250
CVE-2025-24970
CVE-2025-58056
CVE-2025-58057
CVE-2025-55163
CVE-2025-27820
CVE-2024-57699
CVE-2025-48924
- AWS Inspector flagged CVE-2025-48924 in athena-dynamodb connector (version 2025.34.3)
  The vulnerability affects Apache Commons Lang3 versions < 3.18.0
  Multiple connectors are impacted due to transitive dependencies pulling in older versions.

Solution:
Upgraded Apache Commons-lang3 to 3.19.0 to address a transitive dependency and exclude problematic metadata, which fixes CVE-2025-48924. Since similar CVEs were observed for other connectors as well, we have updated the code in the root POM.
Upgraded netty to 4.1.128.Final.

Please find the attached DynamoDB testing documentation for reference.

CVE-2025-48924-Fix.docx
DYNAMODB_FUNCTIONAL_TEST_2025-11-04.xlsx
DynamoDB All CVE issues fix.docx
DDB_FUNCTIONAL_TEST_2025-11-13.xlsx

Bug fixes

Address Epoch Date to Date conversion bug where we were using machine local timezone and cause correctness issue.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

amazon-inspector-n-virginia · 2025-11-05T09:40:41Z

⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done

amazon-inspector-n-virginia · 2025-11-05T09:40:41Z

⏳ I'm reviewing this pull request for security vulnerabilities and code quality issues. I'll provide an update when I'm done

amazon-inspector-n-virginia · 2025-11-05T09:41:12Z

✅ I finished the code review, and didn't find any security or code quality issues.

amazon-inspector-n-virginia · 2025-11-05T09:41:13Z

✅ I finished the code review, and didn't find any security or code quality issues.

codecov · 2025-11-05T10:03:44Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.01%. Comparing base (fe0a5d9) to head (01f9740).
⚠️ Report is 95 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff              @@
##             master    #3100      +/-   ##
============================================
+ Coverage     63.67%   68.01%   +4.34%     
- Complexity     4344     4959     +615     
============================================
  Files           621      635      +14     
  Lines         23286    24140     +854     
  Branches       2859     2996     +137     
============================================
+ Hits          14827    16420    +1593     
+ Misses         7070     6274     -796     
- Partials       1389     1446      +57

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

…exclude problematic metadata to fix CVE-2025-48924

…CVE-2025-24970, CVE-2025-58056, CVE-2025-58057, CVE-2025-55163, CVE-2025-27820, CVE-2024-57699 and other related CVEs are also fixed.

pom.xml

…ut as UTC

… all input as UTC" This reverts commit 88f3719.

… all input as UTC" This reverts commit d9c5a7c.

- Added unit tests in athena-synapse Connector (#2963) - Updating EncryptionKeyFactory to add overirde AWS request configuration in KMS calls made generate encryption key (#3103) - Fix epoch date conversion correctness issue when machine time zone is not in UTC (#3108) - Fix CVE-2025-48924: Upgrade Apache Commons Lang3 to 3.19.0 (#3100) - Revise Athena Federated Queries instructions in README (#3069) - fix snowflake QPT return empty result (#3106) - add view into oracle paginated query (#3107) - build(deps): bump com.google.protobuf:protobuf-bom from 4.32.1 to 4.33.0 (#3071) - build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.9.7 to 4.9.8 (#3076) - build(deps): bump org.apache.avro:avro from 1.12.0 to 1.12.1 (#3075) - Handle ResourceNotFoundException from Dynamodb as AthenaConnectorExce… (#3098) - Added unit tests for bigquery (#2950) - Update PostgreSQL engine version to 15.10 (#3099) - Add unit tests for athena-oracle. (#2836) - Adding support to use custom SecretManagerClient for Google Big Query (#2846)

- Update runner and slug - Update GitHub Actions workflows to build with Java 11 and 17 - Remove hard-coded Glue list-jobs --max-results 100 to find all Glue jobs (awslabs#3127) - Added unit tests in athena-synapse Connector (awslabs#2963) - Updating EncryptionKeyFactory to add overirde AWS request configuration in KMS calls made generate encryption key (awslabs#3103) - Fix epoch date conversion correctness issue when machine time zone is not in UTC (awslabs#3108) - Fix CVE-2025-48924: Upgrade Apache Commons Lang3 to 3.19.0 (awslabs#3100) - Revise Athena Federated Queries instructions in README (awslabs#3069) - fix snowflake QPT return empty result (awslabs#3106) - add view into oracle paginated query (awslabs#3107) - build(deps): bump com.google.protobuf:protobuf-bom from 4.32.1 to 4.33.0 (awslabs#3071) - build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.9.7 to 4.9.8 (awslabs#3076) - build(deps): bump org.apache.avro:avro from 1.12.0 to 1.12.1 (awslabs#3075) - Handle ResourceNotFoundException from Dynamodb as AthenaConnectorExce… (awslabs#3098) - Added unit tests for bigquery (awslabs#2950) - Update PostgreSQL engine version to 15.10 (awslabs#3099) - Add unit tests for athena-oracle. (awslabs#2836) - Adding support to use custom SecretManagerClient for Google Big Query (awslabs#2846) - Added unit tests for athena-cloudera-impala Connector (awslabs#2880) - added unit tests for athena-vertica. (awslabs#2783) - added unit tests for athena-redshift. (awslabs#2733) - Always include partition column when get-table-layout (awslabs#3045) - fix cloudwatch glue connection cfn template (awslabs#3013) - Added unit tests for JDBC module (awslabs#2732) - Added pagination for Db2 connector (awslabs#2772) - [Fix] Include default truststore path when passing JAVA_TOOL_OPTIONS for Java 17 image (awslabs#3007) - build(deps): bump com.google.guava:guava from 33.4.0-jre to 33.4.8-jre (awslabs#2728) - Handle KMS and DDB NotFoundExceptions by throwing AthenaConnectorException (awslabs#3064) - build(deps): bump aws-sdk-v2.version from 2.35.1 to 2.35.5 (awslabs#3047) - build(deps): bump io.confluent:kafka-avro-serializer from 8.0.0 to 8.0.2 (awslabs#3055) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.35.0 to 2.35.5 (awslabs#3057) - build(deps): bump org.apache.maven.plugins:maven-dependency-plugin from 3.8.1 to 3.9.0 (awslabs#3061) - Remove timestamp case from SnowflakeQueryStringBuilder (awslabs#2997) - build(deps): bump io.substrait.version from 0.65.0 to 0.66.0 (awslabs#3051) - build(deps): bump com.google.cloud:google-cloud-storage from 2.58.0 to 2.58.1 (awslabs#3059) - build(deps): bump org.postgresql:postgresql from 42.7.7 to 42.7.8 (awslabs#3063) - build(deps): bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.3 to 3.12.0 (awslabs#3062) - build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.9.4 to 4.9.6 (awslabs#3058) - build(deps): bump org.jacoco:jacoco-maven-plugin from 0.8.13 to 0.8.14 (awslabs#3060) - build(deps): bump net.sf.jt400:jt400 from 21.0.5 to 21.0.6 (awslabs#3053) - build(deps): bump com.teradata.jdbc:terajdbc from 20.00.00.50 to 20.00.00.51 (awslabs#3054) - build(deps): bump org.elasticsearch.client:elasticsearch-rest-client from 9.1.3 to 9.1.5 (awslabs#3056) - build(deps): bump org.bouncycastle:bcpkix-jdk18on from 1.81 to 1.82 (awslabs#3050) - build(deps): bump org.eclipse.rdf4j:rdf4j-repository-sparql from 5.1.6 to 5.2.0 (awslabs#3052) - build(deps): bump software.amazon.jsii:jsii-runtime from 1.114.1 to 1.115.0 (awslabs#3048) - build(deps): bump aws-sdk-v2.version from 2.34.5 to 2.35.0 (awslabs#3039) - build(deps-dev): bump nl.jqno.equalsverifier:equalsverifier from 4.1.1 to 4.2 (awslabs#3037) - build(deps): bump aws-sdk.version from 1.12.791 to 1.12.792 (awslabs#3035) - build(deps): bump net.java.dev.jna:jna-platform from 5.17.0 to 5.18.1 (awslabs#3038) - build(deps-dev): bump log4j2Version from 2.25.1 to 2.25.2 (awslabs#3029) - build(deps): bump io.substrait.version from 0.52.0 to 0.65.0 (awslabs#3021) - build(deps): bump org.assertj:assertj-core from 3.27.4 to 3.27.6 (awslabs#3019) - build(deps): bump com.amazonaws:aws-lambda-java-core from 1.3.0 to 1.4.0 (awslabs#3020) - build(deps): bump net.java.dev.jna:jna from 5.17.0 to 5.18.1 (awslabs#3034) - build(deps): bump org.jetbrains.kotlin:kotlin-stdlib from 2.2.10 to 2.2.20 (awslabs#3027) - build(deps): bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 (awslabs#3033) - build(deps): bump org.bouncycastle:bcprov-jdk18on from 1.81 to 1.82 (awslabs#3022) - build(deps): bump org.bouncycastle:bcutil-jdk18on from 1.81 to 1.82 (awslabs#3024) - build(deps): bump org.sonatype.central:central-publishing-maven-plugin from 0.8.0 to 0.9.0 (awslabs#3026) - build(deps): bump org.codehaus.mojo:license-maven-plugin from 2.6.0 to 2.7.0 (awslabs#3023) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.33.8 to 2.35.0 (awslabs#3040) - Add Support for OAuth in athena-saphana Connector (awslabs#2894) - build(deps): bump aws-actions/configure-aws-credentials from 4 to 5 (awslabs#2975) - build(deps): bump actions/setup-node from 4 to 5 (awslabs#2976) - [Neptune] Add doc details on how multi-valued properties are handled. (awslabs#2995) - build(deps): bump org.jetbrains.kotlin:kotlin-reflect from 2.2.10 to 2.2.20 (awslabs#3028) - build(deps): bump software.amazon.glue:schema-registry-serde from 1.1.24 to 1.1.25 (awslabs#3030) - build(deps): bump org.jetbrains.kotlin:kotlin-stdlib-jdk8 from 2.2.10 to 2.2.20 (awslabs#3031) - build(deps): bump com.teradata.jdbc:terajdbc from 20.00.00.49 to 20.00.00.50 (awslabs#3032) - build(deps): bump aws-sdk-v2.version from 2.34.3 to 2.34.5 (awslabs#3017) - Add Support for OAuth in athena-sqlserver Connector (awslabs#3006) - Add Support for OAuth in athena-synapse Connector (awslabs#2904) - build(deps): bump software.amazon.jsii:jsii-runtime from 1.113.0 to 1.114.1 (awslabs#2979) - build(deps): bump org.apache.calcite.version from 1.39.0 to 1.40.0 (awslabs#2980) - build(deps): bump aws-sdk.version from 1.12.788 to 1.12.791 (awslabs#2981) - build(deps): bump org.eclipse.rdf4j:rdf4j-repository-sparql from 5.1.4 to 5.1.5 (awslabs#2983) - build(deps): bump com.clickhouse:clickhouse-jdbc from 0.9.1 to 0.9.2 (awslabs#2985) - build(deps): bump net.snowflake:snowflake-jdbc from 3.26.0 to 3.26.1 (awslabs#2987) - build(deps): bump org.yaml:snakeyaml from 2.4 to 2.5 (awslabs#2988) - build(deps-dev): bump nl.jqno.equalsverifier:equalsverifier from 4.0.9 to 4.1 (awslabs#2998) - build(deps): bump aws-sdk-v2.version from 2.32.29 to 2.33.9 (awslabs#2999) - build(deps): bump org.apache.kafka:kafka-clients from 4.0.0 to 4.1.0 (awslabs#3000) - build(deps): bump surefire.failsafe.version from 3.5.3 to 3.5.4 (awslabs#3001) - build(deps): bump com.microsoft.azure:msal4j from 1.22.0 to 1.23.1 (awslabs#3002) - build(deps): bump org.apache.maven.plugins:maven-shade-plugin from 3.6.0 to 3.6.1 (awslabs#3003) - build(deps): bump com.google.cloud:google-cloud-storage from 2.55.0 to 2.57.0 (awslabs#3004) - build(deps): bump com.sap.cloud.db.jdbc:ngdbc from 2.25.12 to 2.26.6 (awslabs#3012) - build(deps): bump org.apache.maven.plugins:maven-compiler-plugin from 3.14.0 to 3.14.1 (awslabs#3011) - Fixing error messages to not leak sensitive info (awslabs#3008) - Include linked accounts option when querying metric_samples table. (awslabs#2922) - Updating Zookeeper to latest version 3.9.4 (awslabs#3005) - build(deps): bump com.google.protobuf:protobuf-bom from 4.29.3 to 4.32.0 (awslabs#2991) - Add serverless datalakegen2 support (awslabs#2973) - Abstract common OAuth handling and add OAuth support to Athena DataLake Gen2 Connector (awslabs#2932) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.32.29 to 2.33.4 (awslabs#2992) - build(deps): bump org.elasticsearch.client:elasticsearch-rest-client from 9.1.2 to 9.1.3 (awslabs#2993) - build(deps): bump io.lettuce:lettuce-core from 6.8.0.RELEASE to 6.8.1.RELEASE (awslabs#2994) - Hbase namespace issue (awslabs#2996)

- wait for release branch and checkout - wait for release branch and checkout - Update runner and slug - Update GitHub Actions workflows to build with Java 11 and 17 - Remove hard-coded Glue list-jobs --max-results 100 to find all Glue jobs (awslabs#3127) - Added unit tests in athena-synapse Connector (awslabs#2963) - Updating EncryptionKeyFactory to add overirde AWS request configuration in KMS calls made generate encryption key (awslabs#3103) - Fix epoch date conversion correctness issue when machine time zone is not in UTC (awslabs#3108) - Fix CVE-2025-48924: Upgrade Apache Commons Lang3 to 3.19.0 (awslabs#3100) - Revise Athena Federated Queries instructions in README (awslabs#3069) - fix snowflake QPT return empty result (awslabs#3106) - add view into oracle paginated query (awslabs#3107) - build(deps): bump com.google.protobuf:protobuf-bom from 4.32.1 to 4.33.0 (awslabs#3071) - build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.9.7 to 4.9.8 (awslabs#3076) - build(deps): bump org.apache.avro:avro from 1.12.0 to 1.12.1 (awslabs#3075) - Handle ResourceNotFoundException from Dynamodb as AthenaConnectorExce… (awslabs#3098) - Added unit tests for bigquery (awslabs#2950) - Update PostgreSQL engine version to 15.10 (awslabs#3099) - Add unit tests for athena-oracle. (awslabs#2836) - Adding support to use custom SecretManagerClient for Google Big Query (awslabs#2846) - Added unit tests for athena-cloudera-impala Connector (awslabs#2880) - added unit tests for athena-vertica. (awslabs#2783) - added unit tests for athena-redshift. (awslabs#2733) - Always include partition column when get-table-layout (awslabs#3045) - fix cloudwatch glue connection cfn template (awslabs#3013) - Added unit tests for JDBC module (awslabs#2732) - Added pagination for Db2 connector (awslabs#2772) - [Fix] Include default truststore path when passing JAVA_TOOL_OPTIONS for Java 17 image (awslabs#3007) - build(deps): bump com.google.guava:guava from 33.4.0-jre to 33.4.8-jre (awslabs#2728) - Handle KMS and DDB NotFoundExceptions by throwing AthenaConnectorException (awslabs#3064) - build(deps): bump aws-sdk-v2.version from 2.35.1 to 2.35.5 (awslabs#3047) - build(deps): bump io.confluent:kafka-avro-serializer from 8.0.0 to 8.0.2 (awslabs#3055) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.35.0 to 2.35.5 (awslabs#3057) - build(deps): bump org.apache.maven.plugins:maven-dependency-plugin from 3.8.1 to 3.9.0 (awslabs#3061) - Remove timestamp case from SnowflakeQueryStringBuilder (awslabs#2997) - build(deps): bump io.substrait.version from 0.65.0 to 0.66.0 (awslabs#3051) - build(deps): bump com.google.cloud:google-cloud-storage from 2.58.0 to 2.58.1 (awslabs#3059) - build(deps): bump org.postgresql:postgresql from 42.7.7 to 42.7.8 (awslabs#3063) - build(deps): bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.3 to 3.12.0 (awslabs#3062) - build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.9.4 to 4.9.6 (awslabs#3058) - build(deps): bump org.jacoco:jacoco-maven-plugin from 0.8.13 to 0.8.14 (awslabs#3060) - build(deps): bump net.sf.jt400:jt400 from 21.0.5 to 21.0.6 (awslabs#3053) - build(deps): bump com.teradata.jdbc:terajdbc from 20.00.00.50 to 20.00.00.51 (awslabs#3054) - build(deps): bump org.elasticsearch.client:elasticsearch-rest-client from 9.1.3 to 9.1.5 (awslabs#3056) - build(deps): bump org.bouncycastle:bcpkix-jdk18on from 1.81 to 1.82 (awslabs#3050) - build(deps): bump org.eclipse.rdf4j:rdf4j-repository-sparql from 5.1.6 to 5.2.0 (awslabs#3052) - build(deps): bump software.amazon.jsii:jsii-runtime from 1.114.1 to 1.115.0 (awslabs#3048) - build(deps): bump aws-sdk-v2.version from 2.34.5 to 2.35.0 (awslabs#3039) - build(deps-dev): bump nl.jqno.equalsverifier:equalsverifier from 4.1.1 to 4.2 (awslabs#3037) - build(deps): bump aws-sdk.version from 1.12.791 to 1.12.792 (awslabs#3035) - build(deps): bump net.java.dev.jna:jna-platform from 5.17.0 to 5.18.1 (awslabs#3038) - build(deps-dev): bump log4j2Version from 2.25.1 to 2.25.2 (awslabs#3029) - build(deps): bump io.substrait.version from 0.52.0 to 0.65.0 (awslabs#3021) - build(deps): bump org.assertj:assertj-core from 3.27.4 to 3.27.6 (awslabs#3019) - build(deps): bump com.amazonaws:aws-lambda-java-core from 1.3.0 to 1.4.0 (awslabs#3020) - build(deps): bump net.java.dev.jna:jna from 5.17.0 to 5.18.1 (awslabs#3034) - build(deps): bump org.jetbrains.kotlin:kotlin-stdlib from 2.2.10 to 2.2.20 (awslabs#3027) - build(deps): bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 (awslabs#3033) - build(deps): bump org.bouncycastle:bcprov-jdk18on from 1.81 to 1.82 (awslabs#3022) - build(deps): bump org.bouncycastle:bcutil-jdk18on from 1.81 to 1.82 (awslabs#3024) - build(deps): bump org.sonatype.central:central-publishing-maven-plugin from 0.8.0 to 0.9.0 (awslabs#3026) - build(deps): bump org.codehaus.mojo:license-maven-plugin from 2.6.0 to 2.7.0 (awslabs#3023) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.33.8 to 2.35.0 (awslabs#3040) - Add Support for OAuth in athena-saphana Connector (awslabs#2894) - build(deps): bump aws-actions/configure-aws-credentials from 4 to 5 (awslabs#2975) - build(deps): bump actions/setup-node from 4 to 5 (awslabs#2976) - [Neptune] Add doc details on how multi-valued properties are handled. (awslabs#2995) - build(deps): bump org.jetbrains.kotlin:kotlin-reflect from 2.2.10 to 2.2.20 (awslabs#3028) - build(deps): bump software.amazon.glue:schema-registry-serde from 1.1.24 to 1.1.25 (awslabs#3030) - build(deps): bump org.jetbrains.kotlin:kotlin-stdlib-jdk8 from 2.2.10 to 2.2.20 (awslabs#3031) - build(deps): bump com.teradata.jdbc:terajdbc from 20.00.00.49 to 20.00.00.50 (awslabs#3032) - build(deps): bump aws-sdk-v2.version from 2.34.3 to 2.34.5 (awslabs#3017) - Add Support for OAuth in athena-sqlserver Connector (awslabs#3006) - Add Support for OAuth in athena-synapse Connector (awslabs#2904) - build(deps): bump software.amazon.jsii:jsii-runtime from 1.113.0 to 1.114.1 (awslabs#2979) - build(deps): bump org.apache.calcite.version from 1.39.0 to 1.40.0 (awslabs#2980) - build(deps): bump aws-sdk.version from 1.12.788 to 1.12.791 (awslabs#2981) - build(deps): bump org.eclipse.rdf4j:rdf4j-repository-sparql from 5.1.4 to 5.1.5 (awslabs#2983) - build(deps): bump com.clickhouse:clickhouse-jdbc from 0.9.1 to 0.9.2 (awslabs#2985) - build(deps): bump net.snowflake:snowflake-jdbc from 3.26.0 to 3.26.1 (awslabs#2987) - build(deps): bump org.yaml:snakeyaml from 2.4 to 2.5 (awslabs#2988) - build(deps-dev): bump nl.jqno.equalsverifier:equalsverifier from 4.0.9 to 4.1 (awslabs#2998) - build(deps): bump aws-sdk-v2.version from 2.32.29 to 2.33.9 (awslabs#2999) - build(deps): bump org.apache.kafka:kafka-clients from 4.0.0 to 4.1.0 (awslabs#3000) - build(deps): bump surefire.failsafe.version from 3.5.3 to 3.5.4 (awslabs#3001) - build(deps): bump com.microsoft.azure:msal4j from 1.22.0 to 1.23.1 (awslabs#3002) - build(deps): bump org.apache.maven.plugins:maven-shade-plugin from 3.6.0 to 3.6.1 (awslabs#3003) - build(deps): bump com.google.cloud:google-cloud-storage from 2.55.0 to 2.57.0 (awslabs#3004) - build(deps): bump com.sap.cloud.db.jdbc:ngdbc from 2.25.12 to 2.26.6 (awslabs#3012) - build(deps): bump org.apache.maven.plugins:maven-compiler-plugin from 3.14.0 to 3.14.1 (awslabs#3011) - Fixing error messages to not leak sensitive info (awslabs#3008) - Include linked accounts option when querying metric_samples table. (awslabs#2922) - Updating Zookeeper to latest version 3.9.4 (awslabs#3005) - build(deps): bump com.google.protobuf:protobuf-bom from 4.29.3 to 4.32.0 (awslabs#2991) - Add serverless datalakegen2 support (awslabs#2973) - Abstract common OAuth handling and add OAuth support to Athena DataLake Gen2 Connector (awslabs#2932) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.32.29 to 2.33.4 (awslabs#2992) - build(deps): bump org.elasticsearch.client:elasticsearch-rest-client from 9.1.2 to 9.1.3 (awslabs#2993) - build(deps): bump io.lettuce:lettuce-core from 6.8.0.RELEASE to 6.8.1.RELEASE (awslabs#2994) - Hbase namespace issue (awslabs#2996)

- Update release workflow for Java version builds - Enhance cut_release workflow for Java 11 and 17 - wait for release branch and checkout - wait for release branch and checkout - Update runner and slug - Update GitHub Actions workflows to build with Java 11 and 17 - Remove hard-coded Glue list-jobs --max-results 100 to find all Glue jobs (awslabs#3127) - Added unit tests in athena-synapse Connector (awslabs#2963) - Updating EncryptionKeyFactory to add overirde AWS request configuration in KMS calls made generate encryption key (awslabs#3103) - Fix epoch date conversion correctness issue when machine time zone is not in UTC (awslabs#3108) - Fix CVE-2025-48924: Upgrade Apache Commons Lang3 to 3.19.0 (awslabs#3100) - Revise Athena Federated Queries instructions in README (awslabs#3069) - fix snowflake QPT return empty result (awslabs#3106) - add view into oracle paginated query (awslabs#3107) - build(deps): bump com.google.protobuf:protobuf-bom from 4.32.1 to 4.33.0 (awslabs#3071) - build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.9.7 to 4.9.8 (awslabs#3076) - build(deps): bump org.apache.avro:avro from 1.12.0 to 1.12.1 (awslabs#3075) - Handle ResourceNotFoundException from Dynamodb as AthenaConnectorExce… (awslabs#3098) - Added unit tests for bigquery (awslabs#2950) - Update PostgreSQL engine version to 15.10 (awslabs#3099) - Add unit tests for athena-oracle. (awslabs#2836) - Adding support to use custom SecretManagerClient for Google Big Query (awslabs#2846) - Added unit tests for athena-cloudera-impala Connector (awslabs#2880) - added unit tests for athena-vertica. (awslabs#2783) - added unit tests for athena-redshift. (awslabs#2733) - Always include partition column when get-table-layout (awslabs#3045) - fix cloudwatch glue connection cfn template (awslabs#3013) - Added unit tests for JDBC module (awslabs#2732) - Added pagination for Db2 connector (awslabs#2772) - [Fix] Include default truststore path when passing JAVA_TOOL_OPTIONS for Java 17 image (awslabs#3007) - build(deps): bump com.google.guava:guava from 33.4.0-jre to 33.4.8-jre (awslabs#2728) - Handle KMS and DDB NotFoundExceptions by throwing AthenaConnectorException (awslabs#3064) - build(deps): bump aws-sdk-v2.version from 2.35.1 to 2.35.5 (awslabs#3047) - build(deps): bump io.confluent:kafka-avro-serializer from 8.0.0 to 8.0.2 (awslabs#3055) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.35.0 to 2.35.5 (awslabs#3057) - build(deps): bump org.apache.maven.plugins:maven-dependency-plugin from 3.8.1 to 3.9.0 (awslabs#3061) - Remove timestamp case from SnowflakeQueryStringBuilder (awslabs#2997) - build(deps): bump io.substrait.version from 0.65.0 to 0.66.0 (awslabs#3051) - build(deps): bump com.google.cloud:google-cloud-storage from 2.58.0 to 2.58.1 (awslabs#3059) - build(deps): bump org.postgresql:postgresql from 42.7.7 to 42.7.8 (awslabs#3063) - build(deps): bump org.apache.maven.plugins:maven-javadoc-plugin from 3.11.3 to 3.12.0 (awslabs#3062) - build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.9.4 to 4.9.6 (awslabs#3058) - build(deps): bump org.jacoco:jacoco-maven-plugin from 0.8.13 to 0.8.14 (awslabs#3060) - build(deps): bump net.sf.jt400:jt400 from 21.0.5 to 21.0.6 (awslabs#3053) - build(deps): bump com.teradata.jdbc:terajdbc from 20.00.00.50 to 20.00.00.51 (awslabs#3054) - build(deps): bump org.elasticsearch.client:elasticsearch-rest-client from 9.1.3 to 9.1.5 (awslabs#3056) - build(deps): bump org.bouncycastle:bcpkix-jdk18on from 1.81 to 1.82 (awslabs#3050) - build(deps): bump org.eclipse.rdf4j:rdf4j-repository-sparql from 5.1.6 to 5.2.0 (awslabs#3052) - build(deps): bump software.amazon.jsii:jsii-runtime from 1.114.1 to 1.115.0 (awslabs#3048) - build(deps): bump aws-sdk-v2.version from 2.34.5 to 2.35.0 (awslabs#3039) - build(deps-dev): bump nl.jqno.equalsverifier:equalsverifier from 4.1.1 to 4.2 (awslabs#3037) - build(deps): bump aws-sdk.version from 1.12.791 to 1.12.792 (awslabs#3035) - build(deps): bump net.java.dev.jna:jna-platform from 5.17.0 to 5.18.1 (awslabs#3038) - build(deps-dev): bump log4j2Version from 2.25.1 to 2.25.2 (awslabs#3029) - build(deps): bump io.substrait.version from 0.52.0 to 0.65.0 (awslabs#3021) - build(deps): bump org.assertj:assertj-core from 3.27.4 to 3.27.6 (awslabs#3019) - build(deps): bump com.amazonaws:aws-lambda-java-core from 1.3.0 to 1.4.0 (awslabs#3020) - build(deps): bump net.java.dev.jna:jna from 5.17.0 to 5.18.1 (awslabs#3034) - build(deps): bump org.jetbrains.kotlin:kotlin-stdlib from 2.2.10 to 2.2.20 (awslabs#3027) - build(deps): bump org.apache.commons:commons-lang3 from 3.18.0 to 3.19.0 (awslabs#3033) - build(deps): bump org.bouncycastle:bcprov-jdk18on from 1.81 to 1.82 (awslabs#3022) - build(deps): bump org.bouncycastle:bcutil-jdk18on from 1.81 to 1.82 (awslabs#3024) - build(deps): bump org.sonatype.central:central-publishing-maven-plugin from 0.8.0 to 0.9.0 (awslabs#3026) - build(deps): bump org.codehaus.mojo:license-maven-plugin from 2.6.0 to 2.7.0 (awslabs#3023) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.33.8 to 2.35.0 (awslabs#3040) - Add Support for OAuth in athena-saphana Connector (awslabs#2894) - build(deps): bump aws-actions/configure-aws-credentials from 4 to 5 (awslabs#2975) - build(deps): bump actions/setup-node from 4 to 5 (awslabs#2976) - [Neptune] Add doc details on how multi-valued properties are handled. (awslabs#2995) - build(deps): bump org.jetbrains.kotlin:kotlin-reflect from 2.2.10 to 2.2.20 (awslabs#3028) - build(deps): bump software.amazon.glue:schema-registry-serde from 1.1.24 to 1.1.25 (awslabs#3030) - build(deps): bump org.jetbrains.kotlin:kotlin-stdlib-jdk8 from 2.2.10 to 2.2.20 (awslabs#3031) - build(deps): bump com.teradata.jdbc:terajdbc from 20.00.00.49 to 20.00.00.50 (awslabs#3032) - build(deps): bump aws-sdk-v2.version from 2.34.3 to 2.34.5 (awslabs#3017) - Add Support for OAuth in athena-sqlserver Connector (awslabs#3006) - Add Support for OAuth in athena-synapse Connector (awslabs#2904) - build(deps): bump software.amazon.jsii:jsii-runtime from 1.113.0 to 1.114.1 (awslabs#2979) - build(deps): bump org.apache.calcite.version from 1.39.0 to 1.40.0 (awslabs#2980) - build(deps): bump aws-sdk.version from 1.12.788 to 1.12.791 (awslabs#2981) - build(deps): bump org.eclipse.rdf4j:rdf4j-repository-sparql from 5.1.4 to 5.1.5 (awslabs#2983) - build(deps): bump com.clickhouse:clickhouse-jdbc from 0.9.1 to 0.9.2 (awslabs#2985) - build(deps): bump net.snowflake:snowflake-jdbc from 3.26.0 to 3.26.1 (awslabs#2987) - build(deps): bump org.yaml:snakeyaml from 2.4 to 2.5 (awslabs#2988) - build(deps-dev): bump nl.jqno.equalsverifier:equalsverifier from 4.0.9 to 4.1 (awslabs#2998) - build(deps): bump aws-sdk-v2.version from 2.32.29 to 2.33.9 (awslabs#2999) - build(deps): bump org.apache.kafka:kafka-clients from 4.0.0 to 4.1.0 (awslabs#3000) - build(deps): bump surefire.failsafe.version from 3.5.3 to 3.5.4 (awslabs#3001) - build(deps): bump com.microsoft.azure:msal4j from 1.22.0 to 1.23.1 (awslabs#3002) - build(deps): bump org.apache.maven.plugins:maven-shade-plugin from 3.6.0 to 3.6.1 (awslabs#3003) - build(deps): bump com.google.cloud:google-cloud-storage from 2.55.0 to 2.57.0 (awslabs#3004) - build(deps): bump com.sap.cloud.db.jdbc:ngdbc from 2.25.12 to 2.26.6 (awslabs#3012) - build(deps): bump org.apache.maven.plugins:maven-compiler-plugin from 3.14.0 to 3.14.1 (awslabs#3011) - Fixing error messages to not leak sensitive info (awslabs#3008) - Include linked accounts option when querying metric_samples table. (awslabs#2922) - Updating Zookeeper to latest version 3.9.4 (awslabs#3005) - build(deps): bump com.google.protobuf:protobuf-bom from 4.29.3 to 4.32.0 (awslabs#2991) - Add serverless datalakegen2 support (awslabs#2973) - Abstract common OAuth handling and add OAuth support to Athena DataLake Gen2 Connector (awslabs#2932) - build(deps): bump software.amazon.awssdk:cloudwatchlogs from 2.32.29 to 2.33.4 (awslabs#2992) - build(deps): bump org.elasticsearch.client:elasticsearch-rest-client from 9.1.2 to 9.1.3 (awslabs#2993) - build(deps): bump io.lettuce:lettuce-core from 6.8.0.RELEASE to 6.8.1.RELEASE (awslabs#2994) - Hbase namespace issue (awslabs#2996)

VenkatasivareddyTR force-pushed the feature/upgrade_apache_commons_lang3 branch from 2d9f3f9 to 9cd8bde Compare November 13, 2025 14:28

VenkatasivareddyTR added 2 commits November 18, 2025 15:47

Upgrade Apache Commons-lang3 to 3.19.0 for transitive dependency and …

dec183c

…exclude problematic metadata to fix CVE-2025-48924

Fix CVE issues for DDB: CVE-2025-58186, CVE-2025-8058, CVE-2020-15250, …

44115f1

…CVE-2025-24970, CVE-2025-58056, CVE-2025-58057, CVE-2025-55163, CVE-2025-27820, CVE-2024-57699 and other related CVEs are also fixed.

chngpe force-pushed the feature/upgrade_apache_commons_lang3 branch from 9cd8bde to 44115f1 Compare November 18, 2025 20:47

chngpe reviewed Nov 18, 2025

View reviewed changes

pom.xml Show resolved Hide resolved

chngpe added 5 commits November 18, 2025 17:42

update version

35562f9

Fix epoch date conversion with machine timezone, should treat all inp…

d9c5a7c

…ut as UTC

Fix epoch date conversion with machine timezone, should treat all inp…

88f3719

…ut as UTC

revert ddb docker file changes

9dba0d7

fix pom file msk

349f410

fal-bharadwaj previously approved these changes Nov 19, 2025

View reviewed changes

chngpe added 2 commits November 19, 2025 14:33

Revert "Fix epoch date conversion with machine timezone, should treat…

56b4f4a

… all input as UTC" This reverts commit 88f3719.

Revert "Fix epoch date conversion with machine timezone, should treat…

01f9740

… all input as UTC" This reverts commit d9c5a7c.

chngpe dismissed fal-bharadwaj’s stale review via 01f9740 November 19, 2025 19:34

fal-bharadwaj approved these changes Nov 19, 2025

View reviewed changes

AbdulR3hman approved these changes Nov 19, 2025

View reviewed changes

AbdulR3hman merged commit e8debfd into awslabs:master Nov 19, 2025
8 checks passed

chngpe changed the title ~~Fix CVE-2025-48924: Upgrade Apache Commons Lang3 to 3.19.0~~ Fix CVEs related to Apache Commons-lang3 and Netty Nov 19, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Fix CVEs related to `Apache Commons-lang3` and `Netty` #3100

Fix CVEs related to `Apache Commons-lang3` and `Netty` #3100

Uh oh!

VenkatasivareddyTR commented Nov 5, 2025 •

edited by chngpe

Loading

Uh oh!

amazon-inspector-n-virginia bot commented Nov 5, 2025

Uh oh!

amazon-inspector-n-virginia bot commented Nov 5, 2025

Uh oh!

amazon-inspector-n-virginia bot commented Nov 5, 2025

Uh oh!

amazon-inspector-n-virginia bot commented Nov 5, 2025

Uh oh!

codecov bot commented Nov 5, 2025 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Fix CVEs related to Apache Commons-lang3 and Netty #3100

Fix CVEs related to Apache Commons-lang3 and Netty #3100

Uh oh!

Conversation

VenkatasivareddyTR commented Nov 5, 2025 • edited by chngpe Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

amazon-inspector-n-virginia bot commented Nov 5, 2025

Uh oh!

amazon-inspector-n-virginia bot commented Nov 5, 2025

Uh oh!

amazon-inspector-n-virginia bot commented Nov 5, 2025

Uh oh!

amazon-inspector-n-virginia bot commented Nov 5, 2025

Uh oh!

codecov bot commented Nov 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Fix CVEs related to `Apache Commons-lang3` and `Netty` #3100

Fix CVEs related to `Apache Commons-lang3` and `Netty` #3100

VenkatasivareddyTR commented Nov 5, 2025 •

edited by chngpe

Loading

codecov bot commented Nov 5, 2025 •

edited

Loading