8.1.12 Fixes for vulnerability CVE-2025-48924

This release fixes the following vulnerability:

CVE-2025-48924 (CWE-674) in dependency org.apache.commons:commons-lang3:jar:3.16.0:test

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

CVE: CVE-2025-48924
CWE: CWE-674

References

• https://ossindex.sonatype.org/vulnerability/CVE-2025-48924?component-type=maven&component-name=org.apache.commons%2Fcommons-lang3&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-48924
• GHSA-j288-q9x7-2f5v

Security

• #197: Fixed vulnerability CVE-2025-48924 in dependency org.apache.commons:commons-lang3:jar:3.16.0:test

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:virtual-schema-common-document:11.0.5 to 11.0.6

Test Dependency Updates

• Updated com.exasol:udf-debugging-java:0.6.16 to 0.6.17
• Updated com.exasol:virtual-schema-common-document:11.0.5 to 11.0.6

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.3 to 2.0.4
• Updated com.exasol:project-keeper-maven-plugin:5.2.2 to 5.2.3

8.1.11 Improve query plan logging

This release adds more logging by updating the version of the virtual-schema-common-document. This allows improving logging around the paths that lead to the creation of the query plan.

Features

• #194: Add more logging around the paths that lead to the creation of the query plan.

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:virtual-schema-common-document:11.0.4 to 11.0.5

Test Dependency Updates

• Updated com.exasol:virtual-schema-common-document:11.0.4 to 11.0.5

8.1.10 Improve query plan logging

This release adds more logging to buildExplicitSegmentation() and buildHashSegmentation methods of the class FilesDocumentFetcherFactory. This allows improving logging around the paths that lead to the creation of the query plan.

Features

• #194: Add more logging around the paths that lead to the creation of the query plan.

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:virtual-schema-common-document:11.0.3 to 11.0.4

Test Dependency Updates

• Updated com.exasol:virtual-schema-common-document:11.0.3 to 11.0.4

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:5.1.0 to 5.2.2
• Added org.sonatype.central:central-publishing-maven-plugin:0.7.0
• Removed org.sonatype.plugins:nexus-staging-maven-plugin:1.7.0

8.1.9 Add logging for source filter contradictions

This release adds lower-level logging to help explain why source filters may contradict each other and return no results.

Features

#190: Added logging for source filter contradictions

8.1.8 Add logging for decision on empty query plan

This release adds logging to help trace why an empty query plan is returned.

Features

#188: Added logging for decisions leading to empty query plans

8.1.7 Fix vulnerabilities CVE-2025-48734 and CVE-2025-4949 in test dependencies

This release fixes vulnerabilities CVE-2025-48734 and CVE-2025-4949 in test dependencies.

Security

• #185: Fixed CVE-2025-48734 in commons-beanutils:commons-beanutils:jar:1.9.4:test
• #183: Fixed CVE-2025-4949 in org.eclipse.jgit:org.eclipse.jgit:jar:6.7.0.202309050840-r:test

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:virtual-schema-common-document:11.0.1 to 11.0.3
• Updated de.siegmar:fastcsv:3.4.0 to 3.7.0

Test Dependency Updates

• Updated com.exasol:hamcrest-resultset-matcher:1.7.0 to 1.7.1
• Updated com.exasol:performance-test-recorder-java:0.1.3 to 0.1.4
• Updated com.exasol:udf-debugging-java:0.6.14 to 0.6.16
• Updated com.exasol:virtual-schema-common-document:11.0.1 to 11.0.3
• Updated org.junit.jupiter:junit-jupiter-params:5.11.4 to 5.13.0
• Updated org.mockito:mockito-junit-jupiter:5.15.2 to 5.18.0

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.5.0 to 5.1.0
• Added io.github.git-commit-id:git-commit-id-maven-plugin:9.0.1
• Removed io.github.zlika:reproducible-build-maven-plugin:0.17
• Added org.apache.maven.plugins:maven-artifact-plugin:3.6.0
• Updated org.apache.maven.plugins:maven-clean-plugin:3.4.0 to 3.4.1
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.13.0 to 3.14.0
• Updated org.apache.maven.plugins:maven-deploy-plugin:3.1.3 to 3.1.4
• Updated org.apache.maven.plugins:maven-install-plugin:3.1.3 to 3.1.4
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.11.1 to 3.11.2
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.5.2 to 3.5.3
• Updated org.codehaus.mojo:flatten-maven-plugin:1.6.0 to 1.7.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.12 to 0.8.13
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:5.0.0.4389 to 5.1.0.4751

8.1.6 Fix vulnerability CVE-2025-25193 in dependencies

This release fixes vulnerability CVE-2025-25193 in transitive dependency io.netty:netty-common:jar:4.1.115.Final:compile

Security

• #178: Fixed CVE-2025-25193 in io.netty:netty-common:jar:4.1.115.Final:compile

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:parquet-io-java:2.0.12 to 2.0.13
• Updated com.exasol:virtual-schema-common-document:11.0.0 to 11.0.1

Test Dependency Updates

• Updated com.exasol:udf-debugging-java:0.6.13 to 0.6.14
• Updated com.exasol:virtual-schema-common-document:11.0.0 to 11.0.1
• Updated nl.jqno.equalsverifier:equalsverifier:3.17.3 to 3.19
• Updated org.junit.jupiter:junit-jupiter-params:5.11.3 to 5.11.4
• Updated org.mockito:mockito-junit-jupiter:5.14.2 to 5.15.2

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.4.0 to 4.5.0
• Updated org.apache.maven.plugins:maven-deploy-plugin:3.1.2 to 3.1.3
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.10.1 to 3.11.1
• Updated org.apache.maven.plugins:maven-site-plugin:3.9.1 to 3.21.0
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.5.1 to 3.5.2
• Updated org.codehaus.mojo:versions-maven-plugin:2.17.1 to 2.18.0
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:4.0.0.4121 to 5.0.0.4389

8.1.5 Fixed vulnerability CVE-2024-47535 in io.netty:netty-common:jar:4.1.104.Final:test

This release fixes the following vulnerability:

CVE-2024-47535 (CWE-400) in dependency io.netty:netty-common:jar:4.1.104.Final:test

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-47535?component-type=maven&component-name=io.netty%2Fnetty-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-47535
• GHSA-xq3w-v528-46rv

Security

• #174: Fixed vulnerability CVE-2024-47535 in dependency io.netty:netty-common:jar:4.1.104.Final:test

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:parquet-io-java:2.0.11 to 2.0.12
• Updated de.siegmar:fastcsv:3.3.1 to 3.4.0
• Updated io.deephaven:deephaven-csv:0.14.0 to 0.15.0

Test Dependency Updates

• Updated nl.jqno.equalsverifier:equalsverifier:3.17.1 to 3.17.3
• Updated org.junit.jupiter:junit-jupiter-params:5.11.2 to 5.11.3

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.3.3 to 4.4.0
• Added com.exasol:quality-summarizer-maven-plugin:0.2.0
• Updated io.github.zlika:reproducible-build-maven-plugin:0.16 to 0.17
• Updated org.apache.maven.plugins:maven-clean-plugin:2.5 to 3.4.0
• Updated org.apache.maven.plugins:maven-gpg-plugin:3.2.4 to 3.2.7
• Updated org.apache.maven.plugins:maven-install-plugin:2.4 to 3.1.3
• Updated org.apache.maven.plugins:maven-javadoc-plugin:3.7.0 to 3.10.1
• Updated org.apache.maven.plugins:maven-resources-plugin:2.6 to 3.3.1
• Updated org.apache.maven.plugins:maven-site-plugin:3.3 to 3.9.1
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.5 to 3.5.1
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.2 to 2.17.1

8.1.4 Fix CVE-2024-47561 in dependency

This release fixes vulnerability CVE-2024-47561 by updating transitive dependency org.apache.avro:avro via com.exasol:parquet-io-java.

Security Issues

• #171: Fixed vulnerability CVE-2024-47561 in org.apache.avro:avro

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:parquet-io-java:2.0.10 to 2.0.11
• Updated de.siegmar:fastcsv:3.3.0 to 3.3.1

Test Dependency Updates

• Updated nl.jqno.equalsverifier:equalsverifier:3.16.2 to 3.17.1
• Updated org.junit.jupiter:junit-jupiter-params:5.11.0 to 5.11.2
• Updated org.mockito:mockito-junit-jupiter:5.13.0 to 5.14.2

8.1.3 Adapt tests to fixed bug in Exasol

This release updates integration tests, adapting to a fixed bug in ALTER VIRTUAL SCHEMA. This allows running the shared integration tests against the latest version of Exasol DB.

Bugfixes

• #169: Adapted shared integration tests to bugfix in Exasol

Dependency Updates

Compile Dependency Updates

• Updated de.siegmar:fastcsv:3.2.0 to 3.3.0

Test Dependency Updates

• Updated com.exasol:hamcrest-resultset-matcher:1.6.5 to 1.7.0
• Updated nl.jqno.equalsverifier:equalsverifier:3.16.1 to 3.16.2
• Updated org.hamcrest:hamcrest:2.2 to 3.0
• Updated org.junit.jupiter:junit-jupiter-params:5.10.3 to 5.11.0
• Updated org.mockito:mockito-junit-jupiter:5.12.0 to 5.13.0