[
https://issues.apache.org/jira/browse/GEODE-10543?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18050690#comment-18050690
]
ASF subversion and git services commented on GEODE-10543:
---------------------------------------------------------
Commit 3b21ac6dd49ddfc91b79b0464c7d1bb4255775e2 in geode's branch
refs/heads/develop from Jinwoo Hwang
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=3b21ac6dd4 ]
GEODE-10543: Upgrade Log4j from 2.17.2 to 2.25.3 to remediate CVE-202… (#7975)
* GEODE-10543: Upgrade Log4j from 2.17.2 to 2.25.3 to remediate CVE-2025-68161
- Updated log4j version to 2.25.3 in DependencyConstraints.groovy
- Added log4j-core-test dependency for integration tests
- Migrated integration test imports to new log4j-core-test package structure:
* org.apache.logging.log4j.junit → org.apache.logging.log4j.core.test.junit
* org.apache.logging.log4j.test → org.apache.logging.log4j.core.test
- Added GraalVM annotation processor configuration to suppress compilation
warnings
- Updated documentation references to log4j 2.25.3
- Updated test resource files with new JAR versions
All 21 integration tests migrated with zero logic changes.
Build successful with all tests passing.
* GEODE-10543: Fix GraalVM annotation processor options to apply only to main
compilation
The annotation processor options were being applied to all JavaCompile tasks
including integration tests, where the Log4j GraalVM processor is not
triggered. This caused compilation warnings about unrecognized processor
options.
Changed from tasks.withType(JavaCompile) to tasks.named('compileJava') to
restrict the configuration to main source compilation only.
* GEODE-10543: Exclude AssertJ 3.27.3 from log4j-core-test to prevent
NoSuchMethodError
Log4j 2.25.3's log4j-core-test transitively depends on AssertJ 3.27.3, but
Geode's
custom AssertJ assertions (AbstractLogFileAssert) were built against AssertJ
3.22.0.
The CommonValidations.failIfEmptySinceActualIsNotEmpty method signature changed
between versions, causing NoSuchMethodError at runtime.
Exclude assertj-core from log4j-core-test dependency to force usage of 3.22.0,
ensuring binary compatibility with Geode's test infrastructure.
> Remediation of CVE-2025-68161
> -----------------------------
>
> Key: GEODE-10543
> URL: https://issues.apache.org/jira/browse/GEODE-10543
> Project: Geode
> Issue Type: Improvement
> Reporter: Jinwoo Hwang
> Assignee: Jinwoo Hwang
> Priority: Major
> Fix For: 2.0.1
>
>
> h1. Log4j Upgrade: 2.17.2 → 2.25.3 (CVE-2025-68161 Remediation)
> h2. Overview
> This document outlines the plan to upgrade Apache Log4j from version *2.17.2*
> to *2.25.3* to remediate the security vulnerability
> [CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161].
> h2. Vulnerability Details
> *CVE ID:* [CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]
> *Current Version:* 2.17.2
> *Target Version:* 2.25.3
> *Severity:* MEDIUM
> *Impact:* Security vulnerability in Log4j requiring immediate remediation
> h2. Files Requiring Updates
> The following files and locations reference Log4j 2.17.2 and need to be
> updated:
> h3. Build Configuration
> *
> {{build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy}}
> ** Update {{deps.put("log4j.version", "2.17.2")}} to
> {{deps.put("log4j.version", "2.25.3")}}
> h3. Documentation Files
> * {{geode-docs/managing/logging/configuring_log4j2.html.md.erb}}
> ** Update references from 2.17.2 to 2.25.3 (lines 39-41, 45, 48)
> * {{geode-docs/managing/logging/how_logging_works.html.md.erb}}
> ** Update references from 2.17.2 to 2.25.3 (lines 24, 26)
> *
> {{geode-docs/tools_modules/http_session_mgmt/weblogic_setting_up_the_module.html.md.erb}}
> ** Update JAR references from 2.17.2 to 2.25.3 (lines 111-113)
> h3. Test Resources
> *
> {{geode-assembly/src/acceptanceTest/resources/gradle-test-projects/management/build.gradle}}
> ** Update hardcoded version from 2.17.2 to 2.25.3 (line 28)
> *
> {{geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt}}
> ** Update JAR names from 2.17.2 to 2.25.3 (lines 35-39)
> * {{geode-assembly/src/integrationTest/resources/assembly_content.txt}}
> ** Update JAR names from 2.17.2 to 2.25.3 (lines 1015-1018)
> h2. Implementation Steps
> # *Update Dependency Version*
> ** Modify {{DependencyConstraints.groovy}} to set log4j.version to 2.25.3
> # *Update Documentation*
> ** Update all documentation files to reference the new version
> ** Verify download links and documentation still point to valid resources
> # *Update Test Resources*
> ** Update test configuration files and resource lists
> ** Regenerate or update assembly content lists if automated
> # *Build and Test*
> ** Run full build: {{./gradlew clean build}}
> ** Run unit tests: {{./gradlew test}}
> ** Run integration tests: {{./gradlew integrationTest}}
> ** Run distributed tests: {{./gradlew distributedTest}}
> # *Verify Dependencies*
> ** Check dependency tree: {{./gradlew dependencies}}
> ** Verify no older Log4j versions are transitively included
> # *Security Scan*
> ** Run vulnerability scan to confirm CVE-2025-68161 is resolved
> ** Check for any new vulnerabilities introduced
> h2. Testing Strategy
> h3. Unit Testing
> * Verify all existing unit tests pass with the new Log4j version
> * Focus on logging-related tests in {{geode-log4j}} module
> h3. Integration Testing
> * Test logging configurations across different modules
> * Verify Log4j bridge integrations (JUL, SLF4J, JCL) function correctly
> * Test session management logging (Tomcat/WebLogic modules)
> h3. Compatibility Testing
> * Verify compatibility with:
> ** Java 17
> ** Different application servers (Tomcat, WebLogic)
> ** Existing log4j2 configuration files
> h3. Regression Testing
> * Run full test suite to ensure no functionality is broken
> * Test specific scenarios:
> ** Log file rotation
> ** Custom appenders
> ** Log filtering
> ** Performance benchmarks
> h2. Rollback Plan
> If issues are discovered after the upgrade:
> # Revert the version change in {{DependencyConstraints.groovy}}
> # Revert documentation changes
> # Rebuild and redeploy with Log4j 2.17.2
> # Document any compatibility issues discovered
> h2. Dependencies Impact
> The following Geode modules use Log4j and may be affected:
> * {{geode-log4j}} - Core Log4j integration
> * {{geode-gfsh}} - GFSH command-line tool
> * {{geode-tcp-server}} - TCP server implementation
> * {{geode-assembly}} - Distribution assembly
> * {{geode-modules}} - HTTP session management modules
> h2. Breaking Changes
> Review Log4j [release
> notes|https://logging.apache.org/log4j/2.x/changes-report.html] for versions
> between 2.17.2 and 2.25.3:
> * Identify any deprecated APIs that Geode may be using
> * Check for configuration format changes
> * Review any behavioral changes that could affect Geode
> h2. Timeline
> *Estimated effort:* 2-3 weeks including testing
> * Week 1: Code changes and initial testing
> * Week 2: Integration and regression testing
> * Week 3: Documentation review and final validation
> h2. Success Criteria
> * [ ] All code references to Log4j 2.17.2 updated to 2.25.3
> * [ ] All builds pass successfully
> * [ ] All tests pass (unit, integration, distributed)
> * [ ] CVE-2025-68161 no longer reported in vulnerability scans
> * [ ] No new vulnerabilities introduced
> * [ ] Documentation accurately reflects new version
> * [ ] Release notes updated
> h2. References
> * [CVE-2025-68161 Details|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]
> * [Log4j 2.x Download|https://logging.apache.org/log4j/2.x/download.html]
> * [Log4j 2.x Release
> Notes|https://logging.apache.org/log4j/2.x/changes-report.html]
> * [Apache Geode Documentation|https://geode.apache.org/docs/]
> h2. Risks and Mitigations
> ||Risk||Impact||Likelihood||Mitigation||
> |Breaking API changes in Log4j|High|Low|Review release notes thoroughly; test
> extensively|
> |Transitive dependency conflicts|Medium|Medium|Use {{./gradlew dependencies}}
> to identify conflicts|
> |Performance degradation|Medium|Low|Run performance benchmarks before/after
> upgrade|
> |Configuration incompatibilities|Medium|Low|Test with various log4j2.xml
> configurations|
> |Module-specific issues|High|Medium|Test all HTTP session management modules
> thoroughly|
> h2. Communication Plan
> * Notify development team of planned upgrade
> * Update JIRA ticket with progress
> * Document any issues encountered during testing
> * Share test results with team before merge
> * Update release notes for next Geode release
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
