2.1.6 Fixes for vulnerability CVE-2025-55163

This release fixes the following vulnerability:

CVE-2025-55163 (CWE-770) in dependency io.netty:netty-codec-http2:jar:4.1.118.Final:compile

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

CVE: CVE-2025-55163
CWE: CWE-770

References

• https://ossindex.sonatype.org/vulnerability/CVE-2025-55163?component-type=maven&component-name=io.netty%2Fnetty-codec-http2&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-55163
• GHSA-prj3-ccx8-p6x4

Security

• #82: Fixed vulnerability CVE-2025-55163 in dependency io.netty:netty-codec-http2:jar:4.1.118.Final:compile

2.1.5 Fixes for vulnerabilities CVE-2025-22227 and CVE-2025-48924

This release fixes the following vulnerabilities:

CVE-2025-22227 (CWE-200) in dependency io.projectreactor.netty:reactor-netty-http:jar:1.0.48:compile

In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects.

CVE: CVE-2025-22227
CWE: CWE-200

References

• https://ossindex.sonatype.org/vulnerability/CVE-2025-22227?component-type=maven&component-name=io.projectreactor.netty%2Freactor-netty-http&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-22227
• GHSA-4q2v-9p7v-3v22

CVE-2025-48924 (CWE-674) in dependency org.apache.commons:commons-lang3:jar:3.16.0:test

Uncontrolled Recursion vulnerability in Apache Commons Lang.

This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.

The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.

Users are recommended to upgrade to version 3.18.0, which fixes the issue.

CVE: CVE-2025-48924
CWE: CWE-674

References

• https://ossindex.sonatype.org/vulnerability/CVE-2025-48924?component-type=maven&component-name=org.apache.commons%2Fcommons-lang3&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2025-48924
• GHSA-j288-q9x7-2f5v

Security

• #80: Fixed vulnerability CVE-2025-22227 in dependency io.projectreactor.netty:reactor-netty-http:jar:1.0.48:compile
• #79: Fixed vulnerability CVE-2025-48924 in dependency org.apache.commons:commons-lang3:jar:3.16.0:test

Dependency Updates

Test Dependency Updates

• Updated com.exasol:udf-debugging-java:0.6.14 to 0.6.17

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.3 to 2.0.4
• Updated com.exasol:project-keeper-maven-plugin:5.1.0 to 5.2.3

2.1.4 Fixed vulnerabilities CVE-2025-48734, CVE-2025-4949 and CVE-2024-55551 in test dependencies

This release is a security update. We updated the dependencies of the project to fix transitive security issues.

We also added an exception for the OSSIndex for CVE-2024-55551, which is a false positive in Exasol's JDBC driver.
This issue has been fixed quite a while back now, but the OSSIndex unfortunately does not contain the fix version of 24.2.1 (2024-12-10) set.

Security

• #76: Fixed CVE-2025-48734 in commons-beanutils:commons-beanutils:jar:1.9.4:test
• #74: Fixed CVE-2025-4949 in org.eclipse.jgit:org.eclipse.jgit:jar:6.7.0.202309050840-r:test
• #72: Fixed CVE-2024-55551 in com.exasol:exasol-jdbc:jar:24.2.1:test

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:virtual-schema-common-document-files:8.1.5 to 8.1.7

Test Dependency Updates

• Updated com.exasol:performance-test-recorder-java:0.1.3 to 0.1.4
• Updated com.exasol:virtual-schema-common-document-files:8.1.5 to 8.1.7
• Updated org.jacoco:org.jacoco.agent:0.8.12 to 0.8.13

Plugin Dependency Updates

• Updated com.exasol:artifact-reference-checker-maven-plugin:0.4.2 to 0.4.3
• Updated com.exasol:project-keeper-maven-plugin:4.5.0 to 5.1.0
• Added io.github.git-commit-id:git-commit-id-maven-plugin:9.0.1
• Removed io.github.zlika:reproducible-build-maven-plugin:0.17
• Added org.apache.maven.plugins:maven-artifact-plugin:3.6.0
• Updated org.apache.maven.plugins:maven-clean-plugin:3.4.0 to 3.4.1
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.13.0 to 3.14.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.5.2 to 3.5.3
• Updated org.apache.maven.plugins:maven-install-plugin:3.1.3 to 3.1.4
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.5.2 to 3.5.3
• Updated org.codehaus.mojo:flatten-maven-plugin:1.6.0 to 1.7.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.12 to 0.8.13
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:5.0.0.4389 to 5.1.0.4751

2.1.3 Fix vulnerabilities CVE-2025-25193 and CVE-2025-24970 in dependencies

This release fixes the following vulnerabilities in dependencies:

• io.netty:netty-common:jar:4.1.115.Final:compile: CVE-2025-25193
• io.netty:netty-handler:jar:4.1.115.Final:compile: CVE-2025-24970

Security

• #68: Fixed CVE-2025-25193 in io.netty:netty-common:jar:4.1.115.Final:compile
• #67: Fixed CVE-2025-24970 in io.netty:netty-handler:jar:4.1.115.Final:compile

Dependency Updates

Compile Dependency Updates

• Removed com.azure:azure-core-http-netty:1.15.7

Test Dependency Updates

• Removed com.exasol:bucketfs-java:3.2.1
• Updated com.exasol:exasol-test-setup-abstraction-java:2.1.6 to 2.1.7
• Updated com.exasol:udf-debugging-java:0.6.13 to 0.6.14
• Updated org.junit.jupiter:junit-jupiter-params:5.11.3 to 5.11.4
• Updated org.mockito:mockito-core:5.14.2 to 5.15.2
• Updated org.testcontainers:junit-jupiter:1.20.3 to 1.20.4

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.4.0 to 4.5.0
• Updated org.apache.maven.plugins:maven-dependency-plugin:3.8.0 to 3.8.1
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.5.1 to 3.5.2
• Updated org.apache.maven.plugins:maven-site-plugin:3.9.1 to 3.21.0
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.5.1 to 3.5.2
• Updated org.codehaus.mojo:versions-maven-plugin:2.17.1 to 2.18.0
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:4.0.0.4121 to 5.0.0.4389

2.1.2 Fixed vulnerabilities CVE-2024-47535 and CVE-2024-47561

This release fixes the following vulnerability:

CVE-2024-47535 (CWE-400) in dependency io.netty:netty-common:jar:4.1.110.Final:compile

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-47535?component-type=maven&component-name=io.netty%2Fnetty-common&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-47535
• GHSA-xq3w-v528-46rv

CVE-2024-47561 (CWE-502) in dependency org.apache.avro:avro:jar:1.11.3:compile

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code.
Users are recommended to upgrade to version 1.11.4Â or 1.12.0, which fix this issue.

References

• https://ossindex.sonatype.org/vulnerability/CVE-2024-47561?component-type=maven&component-name=org.apache.avro%2Favro&utm_source=ossindex-client&utm_medium=integration&utm_content=1.8.1
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-47561
• https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x

Security

• #65: Fixed vulnerability CVE-2024-47535 in dependency io.netty:netty-common:jar:4.1.110.Final:compile
• #63: Fixed vulnerability CVE-2024-47561 in dependency org.apache.avro:avro:jar:1.11.3:compile

Dependency Updates

Compile Dependency Updates

• Added com.azure:azure-core-http-netty:1.15.7
• Updated com.azure:azure-storage-blob:12.27.0 to 12.29.0
• Updated com.exasol:virtual-schema-common-document-files:8.1.2 to 8.1.5
• Updated org.slf4j:slf4j-jdk14:2.0.13 to 2.0.16

Test Dependency Updates

• Added com.exasol:bucketfs-java:3.2.1
• Updated com.exasol:exasol-test-setup-abstraction-java:2.1.4 to 2.1.6
• Updated com.exasol:hamcrest-resultset-matcher:1.6.5 to 1.7.0
• Updated com.exasol:test-db-builder-java:3.5.4 to 3.6.0
• Updated com.exasol:virtual-schema-common-document-files:8.1.2 to 8.1.5
• Updated org.hamcrest:hamcrest:2.2 to 3.0
• Updated org.junit.jupiter:junit-jupiter-params:5.10.3 to 5.11.3
• Updated org.mockito:mockito-core:5.12.0 to 5.14.2
• Updated org.testcontainers:junit-jupiter:1.20.0 to 1.20.3

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.3.3 to 4.4.0
• Added com.exasol:quality-summarizer-maven-plugin:0.2.0
• Updated io.github.zlika:reproducible-build-maven-plugin:0.16 to 0.17
• Updated org.apache.maven.plugins:maven-clean-plugin:2.5 to 3.4.0
• Updated org.apache.maven.plugins:maven-dependency-plugin:3.6.1 to 3.8.0
• Updated org.apache.maven.plugins:maven-failsafe-plugin:3.2.5 to 3.5.1
• Updated org.apache.maven.plugins:maven-install-plugin:2.4 to 3.1.3
• Updated org.apache.maven.plugins:maven-jar-plugin:3.4.1 to 3.4.2
• Updated org.apache.maven.plugins:maven-resources-plugin:2.6 to 3.3.1
• Updated org.apache.maven.plugins:maven-site-plugin:3.3 to 3.9.1
• Updated org.apache.maven.plugins:maven-surefire-plugin:3.2.5 to 3.5.1
• Updated org.codehaus.mojo:versions-maven-plugin:2.16.2 to 2.17.1

2.1.1 Fix CVE-2024-25638 in `dnsjava:dnsjava:jar:3.4.0:compile`

This release fixes vulnerability CVE-2024-25638 in dnsjava:dnsjava:jar:3.4.0:compile.

Security

• #60: Fixed vulnerability CVE-2024-25638 in dnsjava:dnsjava:jar:3.4.0:compile

Dependency Updates

Compile Dependency Updates

• Updated com.azure:azure-storage-blob:12.26.1 to 12.27.0
• Updated com.exasol:virtual-schema-common-document-files:8.1.0 to 8.1.2

Test Dependency Updates

• Updated com.exasol:virtual-schema-common-document-files:8.1.0 to 8.1.2
• Updated org.junit.jupiter:junit-jupiter-params:5.10.2 to 5.10.3
• Updated org.testcontainers:junit-jupiter:1.19.8 to 1.20.0

2.1.0 Configure column names for automatic mapping inference

This release allows configuring the mapping of column names for the automatic mapping inference in Parquet and CSV files. Before, the virtual schema always converted source column names to UPPER_SNAKE_CASE to create the Exasol column names. This is now configurable with EDML property autoInferenceColumnNames. This property supports the following values:

• CONVERT_TO_UPPER_SNAKE_CASE: Convert column names to UPPER_SNAKE_CASE (default).
• KEEP_ORIGINAL_NAME: Do not convert column names, use column name from source.

See the EDML user guide for details.

Features

• #58: Added option to keep original column name for auto inference

Dependency Updates

Compile Dependency Updates

• Updated com.azure:azure-storage-blob:12.25.3 to 12.26.1
• Updated com.exasol:virtual-schema-common-document-files:8.0.4 to 8.1.0
• Updated org.slf4j:slf4j-jdk14:2.0.12 to 2.0.13

Runtime Dependency Updates

• Removed com.azure:azure-core-http-netty:1.14.2

Test Dependency Updates

• Updated com.exasol:exasol-test-setup-abstraction-java:2.1.2 to 2.1.4
• Updated com.exasol:virtual-schema-common-document-files:8.0.4 to 8.1.0
• Updated org.mockito:mockito-core:5.11.0 to 5.12.0
• Updated org.testcontainers:junit-jupiter:1.19.7 to 1.19.8

Plugin Dependency Updates

• Updated com.exasol:project-keeper-maven-plugin:4.3.2 to 4.3.3

2.0.5 Security update - fix for CVE-2024-36114

Fixed CVE-2024-36114 GHSA-973x-65j7-xcf4.

Security

• #56: CVE-2024-36114: io.airlift:aircompressor:jar:0.21:compile

Dependency Updates

Compile Dependency Updates

• Updated com.exasol:virtual-schema-common-document-files:8.0.3 to 8.0.4

Test Dependency Updates

• Updated com.exasol:virtual-schema-common-document-files:8.0.3 to 8.0.4
• Updated org.jacoco:org.jacoco.agent:0.8.11 to 0.8.12

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.2 to 2.0.3
• Updated com.exasol:project-keeper-maven-plugin:4.3.0 to 4.3.2
• Updated org.apache.maven.plugins:maven-enforcer-plugin:3.4.1 to 3.5.0
• Updated org.apache.maven.plugins:maven-jar-plugin:3.3.0 to 3.4.1
• Updated org.apache.maven.plugins:maven-toolchains-plugin:3.1.0 to 3.2.0
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.11.0.3922 to 4.0.0.4121

2.0.4 Verify storage generation in integration tests

This release adds an integration test that verifies, that "Data Lake Gen2 upgrade" is not enabled for the Azure storage account.

Dependency Updates

Test Dependency Updates

• Updated com.exasol:udf-debugging-java:0.6.12 to 0.6.13

2.0.3 Fix CVE-2024-29025, CVE-2024-29133 & CVE-2024-29131 in dependencies

This release fixed vulnerabilities CVE-2024-29025, CVE-2024-29133 & CVE-2024-29131 in dependencies.

Security

• #52: Fixed CVE-2024-29025 in io.netty:netty-codec-http:jar:4.1.101.Final:test
• #51: Fixed CVE-2024-29133 in org.apache.commons:commons-configuration2:jar:2.8.0:compile
• #50: Fixed CVE-2024-29131 in org.apache.commons:commons-configuration2:jar:2.8.0:compile

Dependency Updates

Compile Dependency Updates

• Updated com.azure:azure-storage-blob:12.25.2 to 12.25.3
• Updated com.exasol:virtual-schema-common-document-files:8.0.2 to 8.0.3

Runtime Dependency Updates

• Added com.azure:azure-core-http-netty:1.14.2

Test Dependency Updates

• Updated com.exasol:exasol-test-setup-abstraction-java:2.1.1 to 2.1.2
• Updated com.exasol:virtual-schema-common-document-files:8.0.2 to 8.0.3

Plugin Dependency Updates

• Updated com.exasol:error-code-crawler-maven-plugin:2.0.1 to 2.0.2
• Updated com.exasol:project-keeper-maven-plugin:4.2.0 to 4.3.0
• Updated org.apache.maven.plugins:maven-assembly-plugin:3.6.0 to 3.7.1
• Updated org.apache.maven.plugins:maven-compiler-plugin:3.12.1 to 3.13.0
• Updated org.jacoco:jacoco-maven-plugin:0.8.11 to 0.8.12
• Updated org.sonarsource.scanner.maven:sonar-maven-plugin:3.10.0.2594 to 3.11.0.3922