[jira] [Updated] (GEODE-10543) Remediation of CVE-2025-68161

Wed, 07 Jan 2026 05:59:20 -0800 


     [ 
https://issues.apache.org/jira/browse/GEODE-10543?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jinwoo Hwang updated GEODE-10543:
---------------------------------
    Description: 
h1. Log4j Upgrade: 2.17.2 → 2.25.3 (CVE-2025-68161 Remediation)
h2. Overview

This document outlines the plan to upgrade Apache Log4j from version *2.17.2* 
to *2.25.3* to remediate the security vulnerability 
[CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161].
h2. Vulnerability Details

*CVE ID:* [CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]
*Current Version:* 2.17.2
*Target Version:* 2.25.3
*Severity:* MEDIUM
*Impact:* Security vulnerability in Log4j requiring immediate remediation
h2. Files Requiring Updates

The following files and locations reference Log4j 2.17.2 and need to be updated:
h3. Build Configuration
 * 
{{build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy}}
 ** Update {{deps.put("log4j.version", "2.17.2")}} to 
{{deps.put("log4j.version", "2.25.3")}}

h3. Documentation Files
 * {{geode-docs/managing/logging/configuring_log4j2.html.md.erb}}
 ** Update references from 2.17.2 to 2.25.3 (lines 39-41, 45, 48)
 * {{geode-docs/managing/logging/how_logging_works.html.md.erb}}
 ** Update references from 2.17.2 to 2.25.3 (lines 24, 26)
 * 
{{geode-docs/tools_modules/http_session_mgmt/weblogic_setting_up_the_module.html.md.erb}}
 ** Update JAR references from 2.17.2 to 2.25.3 (lines 111-113)

h3. Test Resources
 * 
{{geode-assembly/src/acceptanceTest/resources/gradle-test-projects/management/build.gradle}}
 ** Update hardcoded version from 2.17.2 to 2.25.3 (line 28)
 * 
{{geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt}}
 ** Update JAR names from 2.17.2 to 2.25.3 (lines 35-39)
 * {{geode-assembly/src/integrationTest/resources/assembly_content.txt}}
 ** Update JAR names from 2.17.2 to 2.25.3 (lines 1015-1018)

h2. Implementation Steps
 # *Update Dependency Version*
 ** Modify {{DependencyConstraints.groovy}} to set log4j.version to 2.25.3
 # *Update Documentation*
 ** Update all documentation files to reference the new version
 ** Verify download links and documentation still point to valid resources
 # *Update Test Resources*
 ** Update test configuration files and resource lists
 ** Regenerate or update assembly content lists if automated
 # *Build and Test*
 ** Run full build: {{./gradlew clean build}}
 ** Run unit tests: {{./gradlew test}}
 ** Run integration tests: {{./gradlew integrationTest}}
 ** Run distributed tests: {{./gradlew distributedTest}}
 # *Verify Dependencies*
 ** Check dependency tree: {{./gradlew dependencies}}
 ** Verify no older Log4j versions are transitively included
 # *Security Scan*
 ** Run vulnerability scan to confirm CVE-2025-68161 is resolved
 ** Check for any new vulnerabilities introduced

h2. Testing Strategy
h3. Unit Testing
 * Verify all existing unit tests pass with the new Log4j version
 * Focus on logging-related tests in {{geode-log4j}} module

h3. Integration Testing
 * Test logging configurations across different modules
 * Verify Log4j bridge integrations (JUL, SLF4J, JCL) function correctly
 * Test session management logging (Tomcat/WebLogic modules)

h3. Compatibility Testing
 * Verify compatibility with:
 ** Java 17
 ** Different application servers (Tomcat, WebLogic)
 ** Existing log4j2 configuration files

h3. Regression Testing
 * Run full test suite to ensure no functionality is broken
 * Test specific scenarios:
 ** Log file rotation
 ** Custom appenders
 ** Log filtering
 ** Performance benchmarks

h2. Rollback Plan

If issues are discovered after the upgrade:
 # Revert the version change in {{DependencyConstraints.groovy}}
 # Revert documentation changes
 # Rebuild and redeploy with Log4j 2.17.2
 # Document any compatibility issues discovered

h2. Dependencies Impact

The following Geode modules use Log4j and may be affected:
 * {{geode-log4j}} - Core Log4j integration
 * {{geode-gfsh}} - GFSH command-line tool
 * {{geode-tcp-server}} - TCP server implementation
 * {{geode-assembly}} - Distribution assembly
 * {{geode-modules}} - HTTP session management modules

h2. Breaking Changes

Review Log4j [release 
notes|https://logging.apache.org/log4j/2.x/changes-report.html] for versions 
between 2.17.2 and 2.25.3:
 * Identify any deprecated APIs that Geode may be using
 * Check for configuration format changes
 * Review any behavioral changes that could affect Geode

h2. Timeline

*Estimated effort:* 2-3 weeks including testing
 * Week 1: Code changes and initial testing
 * Week 2: Integration and regression testing
 * Week 3: Documentation review and final validation

h2. Success Criteria
 * [ ] All code references to Log4j 2.17.2 updated to 2.25.3
 * [ ] All builds pass successfully
 * [ ] All tests pass (unit, integration, distributed)
 * [ ] CVE-2025-68161 no longer reported in vulnerability scans
 * [ ] No new vulnerabilities introduced
 * [ ] Documentation accurately reflects new version
 * [ ] Release notes updated

h2. References
 * [CVE-2025-68161 Details|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]
 * [Log4j 2.x Download|https://logging.apache.org/log4j/2.x/download.html]
 * [Log4j 2.x Release 
Notes|https://logging.apache.org/log4j/2.x/changes-report.html]
 * [Apache Geode Documentation|https://geode.apache.org/docs/]

h2. Risks and Mitigations
||Risk||Impact||Likelihood||Mitigation||
|Breaking API changes in Log4j|High|Low|Review release notes thoroughly; test 
extensively|
|Transitive dependency conflicts|Medium|Medium|Use {{./gradlew dependencies}} 
to identify conflicts|
|Performance degradation|Medium|Low|Run performance benchmarks before/after 
upgrade|
|Configuration incompatibilities|Medium|Low|Test with various log4j2.xml 
configurations|
|Module-specific issues|High|Medium|Test all HTTP session management modules 
thoroughly|
h2. Communication Plan
 * Notify development team of planned upgrade
 * Update JIRA ticket with progress
 * Document any issues encountered during testing
 * Share test results with team before merge
 * Update release notes for next Geode release

 

  was:
Remediation of the security vulnerabilities reported in
 * [CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]


> Remediation of CVE-2025-68161
> -----------------------------
>
>                 Key: GEODE-10543
>                 URL: https://issues.apache.org/jira/browse/GEODE-10543
>             Project: Geode
>          Issue Type: Improvement
>            Reporter: Jinwoo Hwang
>            Assignee: Jinwoo Hwang
>            Priority: Major
>             Fix For: 2.0.1
>
>
> h1. Log4j Upgrade: 2.17.2 → 2.25.3 (CVE-2025-68161 Remediation)
> h2. Overview
> This document outlines the plan to upgrade Apache Log4j from version *2.17.2* 
> to *2.25.3* to remediate the security vulnerability 
> [CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161].
> h2. Vulnerability Details
> *CVE ID:* [CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]
> *Current Version:* 2.17.2
> *Target Version:* 2.25.3
> *Severity:* MEDIUM
> *Impact:* Security vulnerability in Log4j requiring immediate remediation
> h2. Files Requiring Updates
> The following files and locations reference Log4j 2.17.2 and need to be 
> updated:
> h3. Build Configuration
>  * 
> {{build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy}}
>  ** Update {{deps.put("log4j.version", "2.17.2")}} to 
> {{deps.put("log4j.version", "2.25.3")}}
> h3. Documentation Files
>  * {{geode-docs/managing/logging/configuring_log4j2.html.md.erb}}
>  ** Update references from 2.17.2 to 2.25.3 (lines 39-41, 45, 48)
>  * {{geode-docs/managing/logging/how_logging_works.html.md.erb}}
>  ** Update references from 2.17.2 to 2.25.3 (lines 24, 26)
>  * 
> {{geode-docs/tools_modules/http_session_mgmt/weblogic_setting_up_the_module.html.md.erb}}
>  ** Update JAR references from 2.17.2 to 2.25.3 (lines 111-113)
> h3. Test Resources
>  * 
> {{geode-assembly/src/acceptanceTest/resources/gradle-test-projects/management/build.gradle}}
>  ** Update hardcoded version from 2.17.2 to 2.25.3 (line 28)
>  * 
> {{geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt}}
>  ** Update JAR names from 2.17.2 to 2.25.3 (lines 35-39)
>  * {{geode-assembly/src/integrationTest/resources/assembly_content.txt}}
>  ** Update JAR names from 2.17.2 to 2.25.3 (lines 1015-1018)
> h2. Implementation Steps
>  # *Update Dependency Version*
>  ** Modify {{DependencyConstraints.groovy}} to set log4j.version to 2.25.3
>  # *Update Documentation*
>  ** Update all documentation files to reference the new version
>  ** Verify download links and documentation still point to valid resources
>  # *Update Test Resources*
>  ** Update test configuration files and resource lists
>  ** Regenerate or update assembly content lists if automated
>  # *Build and Test*
>  ** Run full build: {{./gradlew clean build}}
>  ** Run unit tests: {{./gradlew test}}
>  ** Run integration tests: {{./gradlew integrationTest}}
>  ** Run distributed tests: {{./gradlew distributedTest}}
>  # *Verify Dependencies*
>  ** Check dependency tree: {{./gradlew dependencies}}
>  ** Verify no older Log4j versions are transitively included
>  # *Security Scan*
>  ** Run vulnerability scan to confirm CVE-2025-68161 is resolved
>  ** Check for any new vulnerabilities introduced
> h2. Testing Strategy
> h3. Unit Testing
>  * Verify all existing unit tests pass with the new Log4j version
>  * Focus on logging-related tests in {{geode-log4j}} module
> h3. Integration Testing
>  * Test logging configurations across different modules
>  * Verify Log4j bridge integrations (JUL, SLF4J, JCL) function correctly
>  * Test session management logging (Tomcat/WebLogic modules)
> h3. Compatibility Testing
>  * Verify compatibility with:
>  ** Java 17
>  ** Different application servers (Tomcat, WebLogic)
>  ** Existing log4j2 configuration files
> h3. Regression Testing
>  * Run full test suite to ensure no functionality is broken
>  * Test specific scenarios:
>  ** Log file rotation
>  ** Custom appenders
>  ** Log filtering
>  ** Performance benchmarks
> h2. Rollback Plan
> If issues are discovered after the upgrade:
>  # Revert the version change in {{DependencyConstraints.groovy}}
>  # Revert documentation changes
>  # Rebuild and redeploy with Log4j 2.17.2
>  # Document any compatibility issues discovered
> h2. Dependencies Impact
> The following Geode modules use Log4j and may be affected:
>  * {{geode-log4j}} - Core Log4j integration
>  * {{geode-gfsh}} - GFSH command-line tool
>  * {{geode-tcp-server}} - TCP server implementation
>  * {{geode-assembly}} - Distribution assembly
>  * {{geode-modules}} - HTTP session management modules
> h2. Breaking Changes
> Review Log4j [release 
> notes|https://logging.apache.org/log4j/2.x/changes-report.html] for versions 
> between 2.17.2 and 2.25.3:
>  * Identify any deprecated APIs that Geode may be using
>  * Check for configuration format changes
>  * Review any behavioral changes that could affect Geode
> h2. Timeline
> *Estimated effort:* 2-3 weeks including testing
>  * Week 1: Code changes and initial testing
>  * Week 2: Integration and regression testing
>  * Week 3: Documentation review and final validation
> h2. Success Criteria
>  * [ ] All code references to Log4j 2.17.2 updated to 2.25.3
>  * [ ] All builds pass successfully
>  * [ ] All tests pass (unit, integration, distributed)
>  * [ ] CVE-2025-68161 no longer reported in vulnerability scans
>  * [ ] No new vulnerabilities introduced
>  * [ ] Documentation accurately reflects new version
>  * [ ] Release notes updated
> h2. References
>  * [CVE-2025-68161 Details|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]
>  * [Log4j 2.x Download|https://logging.apache.org/log4j/2.x/download.html]
>  * [Log4j 2.x Release 
> Notes|https://logging.apache.org/log4j/2.x/changes-report.html]
>  * [Apache Geode Documentation|https://geode.apache.org/docs/]
> h2. Risks and Mitigations
> ||Risk||Impact||Likelihood||Mitigation||
> |Breaking API changes in Log4j|High|Low|Review release notes thoroughly; test 
> extensively|
> |Transitive dependency conflicts|Medium|Medium|Use {{./gradlew dependencies}} 
> to identify conflicts|
> |Performance degradation|Medium|Low|Run performance benchmarks before/after 
> upgrade|
> |Configuration incompatibilities|Medium|Low|Test with various log4j2.xml 
> configurations|
> |Module-specific issues|High|Medium|Test all HTTP session management modules 
> thoroughly|
> h2. Communication Plan
>  * Notify development team of planned upgrade
>  * Update JIRA ticket with progress
>  * Document any issues encountered during testing
>  * Share test results with team before merge
>  * Update release notes for next Geode release
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to