diff --git a/CHANGES.md b/CHANGES.md
index b1b389db962710a58f3cdb23818d832f9be02ad7..3a2ae95dcbab4440c143297be1a9340bdc23c627 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -36,7 +36,7 @@ Release Notes.
* Upgrade zookeeper caused by CVE-2019-0201.
* Upgrade snake yaml caused by CVE-2017-18640.
* Upgrade embed tomcat caused by CVE-2020-13935.
-
+* Upgrade commons-lang3 to avoid potential NPE in some JDK versions.
#### UI
diff --git a/oap-server/pom.xml b/oap-server/pom.xml
index e659f5c8c03e069757b1cc60c65a517daf48b894..f4b8e06092673cddc7327a1e2510398a42380e5c 100755
--- a/oap-server/pom.xml
+++ b/oap-server/pom.xml
@@ -76,7 +76,7 @@
2.12.2
2.12.2
1.11
- 3.7
+ 3.12.0
1.4
0.6.0
1.8.0
diff --git a/tools/dependencies/known-oap-backend-dependencies-es7.txt b/tools/dependencies/known-oap-backend-dependencies-es7.txt
index 9db7b2fd13114332468646086a6cb319745f93ef..d4125412835b1c0fa372f8256d9485507ebf9d8f 100755
--- a/tools/dependencies/known-oap-backend-dependencies-es7.txt
+++ b/tools/dependencies/known-oap-backend-dependencies-es7.txt
@@ -21,7 +21,7 @@ commons-collections4-4.4.jar
commons-compress-1.20.jar
commons-dbcp-1.4.jar
commons-io-2.6.jar
-commons-lang3-3.7.jar
+commons-lang3-3.12.0.jar
commons-pool-1.5.4.jar
commons-text-1.4.jar
compiler-0.9.6.jar
diff --git a/tools/dependencies/known-oap-backend-dependencies.txt b/tools/dependencies/known-oap-backend-dependencies.txt
index db5c307736caf0127203fdbd444bc19521b0e1fb..a8b0cbfdf896e6ba18ac6577d441be5de652d6b4 100755
--- a/tools/dependencies/known-oap-backend-dependencies.txt
+++ b/tools/dependencies/known-oap-backend-dependencies.txt
@@ -21,7 +21,7 @@ commons-collections4-4.4.jar
commons-compress-1.20.jar
commons-dbcp-1.4.jar
commons-io-2.6.jar
-commons-lang3-3.7.jar
+commons-lang3-3.12.0.jar
commons-pool-1.5.4.jar
commons-text-1.4.jar
consul-client-1.4.2.jar