JinwooHwang opened a new pull request, #8006: URL: https://github.com/apache/geode/pull/8006
## Summary Backport Log4j upgrade from **2.25.3** to **2.25.4** on the `support/1.15` branch to remediate [CVE-2026-34478](https://nvd.nist.gov/vuln/detail/CVE-2026-34478). Also corrects stale Log4j version references (`2.17.2`, `2.12.0`, `2.5`) in resource files and documentation that were missed during the prior GEODE-10544 upgrade. ## Security Vulnerability | Field | Detail | |-------|--------| | **CVE** | [CVE-2026-34478](https://nvd.nist.gov/vuln/detail/CVE-2026-34478) | | **CVSS** | 6.9 MEDIUM (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N) | | **CWE** | [CWE-117](https://cwe.mitre.org/data/definitions/117.html) Improper Output Neutralization for Logs, [CWE-684](https://cwe.mitre.org/data/definitions/684.html) Incorrect Provision of Specified Functionality | | **Affected versions** | Log4j Core 2.21.0 through 2.25.3 | | **Fixed in** | Log4j Core 2.25.4 | | **Published** | 2026-04-10 | ### Description Log4j Core's `Rfc5424Layout` (versions 2.21.0 through 2.25.3) is vulnerable to **log injection via CRLF sequences** due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure `Rfc5424Layout` directly: 1. **`newLineEscape` attribute silently renamed** — Newline escaping stopped working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output. 2. **`useTlsMessageFormat` attribute silently renamed** — Users of TLS framing (RFC 5425) were silently downgraded to unframed TCP (RFC 6587) without newline escaping. > Users of the `SyslogAppender` are not affected, as its configuration attributes were not modified. ## Changes Version string updates across **10 files** (34 insertions, 34 deletions): | File | Old version | What changed | |------|------------|-------------| | `build-tools/geode-dependency-management/.../DependencyConstraints.groovy` | 2.25.3 | Central managed version definition | | `geode-assembly/.../management/build.gradle` | 2.12.0 | Hardcoded `log4j-slf4j-impl` dependency | | `boms/geode-all-bom/.../expected-pom.xml` | 2.17.2 (×5) | 5 `<version>` entries in expected POM | | `geode-assembly/.../assembly_content.txt` | 2.17.2 (×5) | 5 jar filename references | | `geode-assembly/.../gfsh_dependency_classpath.txt` | 2.17.2 (×5) | 5 jar filename references | | `geode-server-all/.../dependency_classpath.txt` | 2.17.2 (×5) | 5 jar filename references | | `geode-docs/.../configuring_log4j2.html.md.erb` | 2.17.2 (×5) | Documentation references | | `geode-docs/.../how_logging_works.html.md.erb` | 2.17.2 (×2) | Documentation references | | `geode-docs/.../weblogic_setting_up_the_module.html.md.erb` | 2.5 (×3) | Documentation jar filename references | **Note:** The prior GEODE-10544 upgrade (2.17.2 → 2.25.3) on `support/1.15` only updated `DependencyConstraints.groovy`, `geode-log4j/build.gradle`, and 20 Java test import files. It missed the resource files, expected POM, documentation, and management build.gradle — all of which still referenced older versions. This PR corrects all of them to 2.25.4. No code logic changes — this is a dependency version bump only. ## References - **NVD**: https://nvd.nist.gov/vuln/detail/CVE-2026-34478 - **Apache advisory**: https://logging.apache.org/security.html#CVE-2026-34478 - **Upstream fix**: https://github.com/apache/logging-log4j2/pull/4074 - **Log4j 2.25.4 release notes**: https://logging.apache.org/log4j/2.x/release-notes.html#2.25.4 <!-- Thank you for submitting a contribution to Apache Geode. --> <!-- In order to streamline review of your contribution we ask that you ensure you've taken the following steps. --> ### For all changes, please confirm: - [x] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [x] Has your PR been rebased against the latest commit within the target branch (typically `develop`)? - [x] Is your initial contribution a single, squashed commit? - [x] Does `gradlew build` run cleanly? - [ ] Have you written or updated unit tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
