Action Required: Connector Cloud Gateway - commons-lang2 Removal and Migration to commons-lang3

Announcements Product News
,
1

Summary

SailPoint is removing the Apache Commons Lang 2 library (commons-lang2) from the Connector Cloud Gateway (CCG) as part of a security remediation addressing CVE-2025-48924. The platform will standardize on Apache Commons Lang 3 (commons-lang3, version 3.20.0 or later). A 60-day customer migration window will precede the CCG release that removes commons-lang2 from the classpath.

NOTE : Only Connector Rule are impacted

Summary at a Glance

Aspect Details
Old library Apache Commons Lang 2 (org.apache.commons.lang.*)
New library Apache Commons Lang 3 (org.apache.commons.lang3.*) v3.20.0 or later
CVE reference CVE-2025-48924
Migration window 60 days from the official announcement date
CCG release Rolls out after the 60-day migration window completes
Impacted scope Customer-built connectors and connector rules referencing commons-lang2
Not impacted Out-of-the-box SailPoint connectors (already migrated to commons-lang3)

Who Is Impacted?

You are impacted if your environment includes any of the following:

  • Custom connectors that import classes from org.apache.commons.lang.*
  • Connector rules (BeanShell or Java-based) that reference commons-lang2 classes
  • Any bundled connector artifacts that include commons-lang2 transitively or directly

Out-of-the-box SailPoint connectors are not impacted. SailPoint has already migrated platform-managed connectors to commons-lang3.

What Changes After the Migration Window?

When the new CCG version is released following the migration window, the legacy commons-lang2 JAR will be removed from the platform classpath. Custom code that still references commons-lang2 will fail at runtime. Typical errors include:

java.lang.NoClassDefFoundError: org/apache/commons/lang/ArrayUtils java.lang.NoClassDefFoundError: org/apache/commons/lang/StringUtils java.lang.ClassNotFoundException: org.apache.commons.lang.BooleanUtils

Expect failures during connector operations, provisioning workflows, and rule execution for any code paths that rely on affected classes.

How to Migrate?

Step 1 — Identify Affected Code

Search your custom connector source code and rule scripts for references to the legacy package (org.apache.commons.lang.*) and any direct uses of commons-lang2 classes. Look for:

import org.apache.commons.lang.*; import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.ArrayUtils; // any org.apache.commons.lang.* class

Step 2 — Update the Import Namespace

The migration is primarily a package rename from org.apache.commons.lang to org.apache.commons.lang3.

// Before (commons-lang2) import org.apache.commons.lang.StringUtils; // After (commons-lang3) import org.apache.commons.lang3.StringUtils;

Apply this change to all affected imports. Most class names (e.g., StringUtils, ArrayUtils, BooleanUtils) are unchanged—only the package prefix updates to org.apache.commons.lang3.

Step 3 - Adjust for API Differences

While most of the commons-lang3 API is backward-compatible with commons-lang2, some methods have been deprecated or slightly modified. Review the Apache Commons Lang 3 migration guide for edge cases.

Key known differences:

  • org.apache.commons.lang.Validate moved to org.apache.commons.lang3.Validate (largely compatible).
  • Some legacy or deprecated methods in commons-lang2 are removed in commons-lang3; consult the migration notes.
  • CharSet / CharRange: These exist in commons-lang3 with minor behavior differences; verify boundary and null-handling logic.

Step 4 - Update Build Configuration

If your custom connector uses a Maven or Gradle build file, update the dependency declaration:

// Gradle dependencies { implementation "org.apache.commons:commons-lang3:3.20.0" // add // remove: commons-lang:commons-lang:2.x }

Step 5 - Test in Sandbox

Validate in your SailPoint ISC Sandbox before the migration window closes. Run:

  • Account and entitlement aggregations
  • Provisioning flows and lifecycle events
  • All rule execution paths (including error/edge cases)

Best practice: enable verbose logging for the first full test cycle to quickly identify any lingering references to commons-lang2.

Timeline & Release Plan

  • Announcement Date: April 3, 2026
  • Migration Period: April 3 – June 3, 2026 (60-day window)
  • Action Needed: Update and test all custom connectors and rules in a sandbox environment to ensure compatibility with commons-lang3.
  • Production Release: Starting June 3, 2026, the CCG update will roll out incrementally, officially removing commons-lang2 support.
4 Likes
Update Apache Commons Lang 2 to Apache Commons Lang 3 for custom connectors
Update Apache Commons Lang 2 to Apache Commons Lang 3 for custom connectors
2

Hey @Angel_Tawade, the link to the Apache Commons Lang 3 migration guide (https://commons.apache.org/proper/commons-lang/migration.html) that was included in the announcement email and in the Compass post leads to a 404. Is this what we should be referencing instead: What's new in Commons Lang 3.0? – Apache Commons Lang ?

3

made the changes please Refer this Home – Apache Commons Lang

4

What are the exact dates for this? I’m not sure when day 0 really started

2 Likes
5

does this require using available expert services hours to migrate? or would we need to purchase hours if we currently have none?

6

Could you please provide an update on when the migration window officially begins? Assuming it begun when this post was made, learning about a required action via a forum post with fewer than 15 working days to test and deploy to production is challenging, particularly as the vulnerability this change addresses has been known since 2025.

Additionally, the ISC documentation notes that Java 17 is required. However, Java 17/21 has known security vulnerabilities, and the role validator does not appear to support newer Java versions. Can you confirm whether the validator will be updated to support a more recent, secure Java release, or if there is an alternative submission method? Our security team will not approve the use of older, vulnerable Java versions.

***EDIT: Last I read this post migration said 30 days, noticed it’s updated to 60 days. So that helps :slight_smile:

7

When can we expect this update to roll out in the sandbox environments? Thanks-

8

My understanding is cloud executed rules need to be updated as well? The note above says specifically “Only connector rules are impacted” hence a bit ambiguous about cloud executed rules.

9

At present, both Lang2 and Lang3 are supported in customer environments(stg & prd)

Customers are encouraged to begin migrating to Lang3 as soon as possible.
Please note that Lang2 will be deprecated and removed from CCG within a 60-day window, so completing the migration within this timeframe is strongly recommended to avoid any service disruption.

10

While these updates specifically target connector rules, we strongly recommend that customers also migrate their cloud rules to the secure Apache Commons Lang 3 implementation. This proactive step helps strengthen your organization’s overall security posture by eliminating legacy dependencies and addressing potential vulnerabilities.