Jinwoo Hwang created GEODE-10545:
------------------------------------
Summary: Migrate Log4j Integration Tests to log4j-core-test
Key: GEODE-10545
URL: https://issues.apache.org/jira/browse/GEODE-10545
Project: Geode
Issue Type: Improvement
Reporter: Jinwoo Hwang
Assignee: Jinwoo Hwang
Fix For: 2.0.1
h1. Log4j Upgrade: 2.17.2 → 2.25.3 (CVE-2025-68161 Remediation)
h2. Overview
This document outlines the plan to upgrade Apache Log4j from version *2.17.2*
to *2.25.3* to remediate the security vulnerability
[CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161].
h2. Vulnerability Details
*CVE ID:* [CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]
*Current Version:* 2.17.2
*Target Version:* 2.25.3
*Severity:* MEDIUM
*Impact:* Security vulnerability in Log4j requiring immediate remediation
h2. Files Requiring Updates
The following files and locations reference Log4j 2.17.2 and need to be updated:
h3. Build Configuration
*
{{build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy}}
** Update {{deps.put("log4j.version", "2.17.2")}} to
{{deps.put("log4j.version", "2.25.3")}}
h3. Documentation Files
* {{geode-docs/managing/logging/configuring_log4j2.html.md.erb}}
** Update references from 2.17.2 to 2.25.3 (lines 39-41, 45, 48)
* {{geode-docs/managing/logging/how_logging_works.html.md.erb}}
** Update references from 2.17.2 to 2.25.3 (lines 24, 26)
*
{{geode-docs/tools_modules/http_session_mgmt/weblogic_setting_up_the_module.html.md.erb}}
** Update JAR references from 2.17.2 to 2.25.3 (lines 111-113)
h3. Test Resources
*
{{geode-assembly/src/acceptanceTest/resources/gradle-test-projects/management/build.gradle}}
** Update hardcoded version from 2.17.2 to 2.25.3 (line 28)
*
{{geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt}}
** Update JAR names from 2.17.2 to 2.25.3 (lines 35-39)
* {{geode-assembly/src/integrationTest/resources/assembly_content.txt}}
** Update JAR names from 2.17.2 to 2.25.3 (lines 1015-1018)
h2. Implementation Steps
# *Update Dependency Version*
** Modify {{DependencyConstraints.groovy}} to set log4j.version to 2.25.3
# *Update Documentation*
** Update all documentation files to reference the new version
** Verify download links and documentation still point to valid resources
# *Update Test Resources*
** Update test configuration files and resource lists
** Regenerate or update assembly content lists if automated
# *Build and Test*
** Run full build: {{./gradlew clean build}}
** Run unit tests: {{./gradlew test}}
** Run integration tests: {{./gradlew integrationTest}}
** Run distributed tests: {{./gradlew distributedTest}}
# *Verify Dependencies*
** Check dependency tree: {{./gradlew dependencies}}
** Verify no older Log4j versions are transitively included
# *Security Scan*
** Run vulnerability scan to confirm CVE-2025-68161 is resolved
** Check for any new vulnerabilities introduced
h2. Testing Strategy
h3. Unit Testing
* Verify all existing unit tests pass with the new Log4j version
* Focus on logging-related tests in {{geode-log4j}} module
h3. Integration Testing
* Test logging configurations across different modules
* Verify Log4j bridge integrations (JUL, SLF4J, JCL) function correctly
* Test session management logging (Tomcat/WebLogic modules)
h3. Compatibility Testing
* Verify compatibility with:
** Java 17
** Different application servers (Tomcat, WebLogic)
** Existing log4j2 configuration files
h3. Regression Testing
* Run full test suite to ensure no functionality is broken
* Test specific scenarios:
** Log file rotation
** Custom appenders
** Log filtering
** Performance benchmarks
h2. Rollback Plan
If issues are discovered after the upgrade:
# Revert the version change in {{DependencyConstraints.groovy}}
# Revert documentation changes
# Rebuild and redeploy with Log4j 2.17.2
# Document any compatibility issues discovered
h2. Dependencies Impact
The following Geode modules use Log4j and may be affected:
* {{geode-log4j}} - Core Log4j integration
* {{geode-gfsh}} - GFSH command-line tool
* {{geode-tcp-server}} - TCP server implementation
* {{geode-assembly}} - Distribution assembly
* {{geode-modules}} - HTTP session management modules
h2. Breaking Changes
Review Log4j [release
notes|https://logging.apache.org/log4j/2.x/changes-report.html] for versions
between 2.17.2 and 2.25.3:
* Identify any deprecated APIs that Geode may be using
* Check for configuration format changes
* Review any behavioral changes that could affect Geode
h2. Timeline
*Estimated effort:* 2-3 weeks including testing
* Week 1: Code changes and initial testing
* Week 2: Integration and regression testing
* Week 3: Documentation review and final validation
h2. Success Criteria
* [ ] All code references to Log4j 2.17.2 updated to 2.25.3
* [ ] All builds pass successfully
* [ ] All tests pass (unit, integration, distributed)
* [ ] CVE-2025-68161 no longer reported in vulnerability scans
* [ ] No new vulnerabilities introduced
* [ ] Documentation accurately reflects new version
* [ ] Release notes updated
h2. References
* [CVE-2025-68161 Details|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]
* [Log4j 2.x Download|https://logging.apache.org/log4j/2.x/download.html]
* [Log4j 2.x Release
Notes|https://logging.apache.org/log4j/2.x/changes-report.html]
* [Apache Geode Documentation|https://geode.apache.org/docs/]
h2. Risks and Mitigations
||Risk||Impact||Likelihood||Mitigation||
|Breaking API changes in Log4j|High|Low|Review release notes thoroughly; test
extensively|
|Transitive dependency conflicts|Medium|Medium|Use {{./gradlew dependencies}}
to identify conflicts|
|Performance degradation|Medium|Low|Run performance benchmarks before/after
upgrade|
|Configuration incompatibilities|Medium|Low|Test with various log4j2.xml
configurations|
|Module-specific issues|High|Medium|Test all HTTP session management modules
thoroughly|
h2. Communication Plan
* Notify development team of planned upgrade
* Update JIRA ticket with progress
* Document any issues encountered during testing
* Share test results with team before merge
* Update release notes for next Geode release
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
