This is an automated email from the ASF dual-hosted git repository. JinwooHwang pushed a commit to branch support/2.0 in repository https://gitbox.apache.org/repos/asf/geode.git
commit 9190bb5de2c5b13d444a1f21d6d91d0dc3cd6584 Author: Jinwoo Hwang <[email protected]> AuthorDate: Mon Apr 27 06:02:33 2026 -0400 GEODE-10579: Remediate CVE-2026-34478 - Improper Output Neutralization for Logs (#8005) Upgrade Apache Log4j from 2.25.3 to 2.25.4 to remediate CVE-2026-34478 (CVSS 6.9 MEDIUM). VULNERABILITY: Log4j Core's Rfc5424Layout (versions 2.21.0 through 2.25.3) is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes (CWE-117, CWE-684). Two issues affect users of stream-based syslog services: - The newLineEscape attribute was silently renamed, disabling newline escaping for TCP framing (RFC 6587) and exposing CRLF injection. - The useTlsMessageFormat attribute was silently renamed, silently downgrading TLS framing (RFC 5425) to unframed TCP without newline escaping. REMEDIATION: Updated all Log4j dependency references from 2.25.3 to 2.25.4 across dependency constraints, build files, documentation, and test resources. References: https://nvd.nist.gov/vuln/detail/CVE-2026-34478 https://github.com/apache/logging-log4j2/pull/4074 https://logging.apache.org/security.html#CVE-2026-34478 (cherry picked from commit a4ec1d2d7d5e2c4d95f8c5be05a48c6baf43e0ce) --- boms/geode-all-bom/src/test/resources/expected-pom.xml | 10 +++++----- .../apache/geode/gradle/plugins/DependencyConstraints.groovy | 2 +- .../resources/gradle-test-projects/management/build.gradle | 2 +- .../src/integrationTest/resources/assembly_content.txt | 10 +++++----- .../integrationTest/resources/gfsh_dependency_classpath.txt | 10 +++++----- geode-docs/managing/logging/configuring_log4j2.html.md.erb | 10 +++++----- geode-docs/managing/logging/how_logging_works.html.md.erb | 4 ++-- .../weblogic_setting_up_the_module.html.md.erb | 6 +++--- geode-log4j/build.gradle | 2 +- .../src/integrationTest/resources/dependency_classpath.txt | 10 +++++----- 10 files changed, 33 insertions(+), 33 deletions(-) diff --git a/boms/geode-all-bom/src/test/resources/expected-pom.xml b/boms/geode-all-bom/src/test/resources/expected-pom.xml index bfb65e2d01..65f6a24015 100644 --- a/boms/geode-all-bom/src/test/resources/expected-pom.xml +++ b/boms/geode-all-bom/src/test/resources/expected-pom.xml @@ -530,27 +530,27 @@ <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-api</artifactId> - <version>2.25.3</version> + <version>2.25.4</version> </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-core</artifactId> - <version>2.25.3</version> + <version>2.25.4</version> </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-jcl</artifactId> - <version>2.25.3</version> + <version>2.25.4</version> </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-jul</artifactId> - <version>2.25.3</version> + <version>2.25.4</version> </dependency> <dependency> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-slf4j-impl</artifactId> - <version>2.25.3</version> + <version>2.25.4</version> </dependency> <dependency> <groupId>org.apache.lucene</groupId> diff --git a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy index b714686ef9..ec9f9f84c7 100644 --- a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy +++ b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy @@ -46,7 +46,7 @@ class DependencyConstraints { deps.put("jakarta.annotation.version", "2.1.1") deps.put("jakarta.ejb.version", "4.0.1") deps.put("jgroups.version", "3.6.20.Final") - deps.put("log4j.version", "2.25.3") + deps.put("log4j.version", "2.25.4") deps.put("log4j-slf4j2-impl.version", "2.23.1") deps.put("micrometer.version", "1.14.0") deps.put("shiro.version", "2.1.0") diff --git a/geode-assembly/src/acceptanceTest/resources/gradle-test-projects/management/build.gradle b/geode-assembly/src/acceptanceTest/resources/gradle-test-projects/management/build.gradle index 48626e2a2c..a4e0645a45 100644 --- a/geode-assembly/src/acceptanceTest/resources/gradle-test-projects/management/build.gradle +++ b/geode-assembly/src/acceptanceTest/resources/gradle-test-projects/management/build.gradle @@ -25,7 +25,7 @@ repositories { dependencies { implementation("${project.group}:geode-core:${project.version}") - runtimeOnly('org.apache.logging.log4j:log4j-slf4j-impl:2.25.3') + runtimeOnly('org.apache.logging.log4j:log4j-slf4j-impl:2.25.4') } application { diff --git a/geode-assembly/src/integrationTest/resources/assembly_content.txt b/geode-assembly/src/integrationTest/resources/assembly_content.txt index 3a4b23d33c..786c91cbf2 100644 --- a/geode-assembly/src/integrationTest/resources/assembly_content.txt +++ b/geode-assembly/src/integrationTest/resources/assembly_content.txt @@ -1012,11 +1012,11 @@ lib/jna-platform-5.11.0.jar lib/joda-time-2.12.7.jar lib/jopt-simple-5.0.4.jar lib/jul-to-slf4j-2.0.17.jar -lib/log4j-api-2.25.3.jar -lib/log4j-core-2.25.3.jar -lib/log4j-jcl-2.25.3.jar -lib/log4j-jul-2.25.3.jar -lib/log4j-slf4j-impl-2.25.3.jar +lib/log4j-api-2.25.4.jar +lib/log4j-core-2.25.4.jar +lib/log4j-jcl-2.25.4.jar +lib/log4j-jul-2.25.4.jar +lib/log4j-slf4j-impl-2.25.4.jar lib/lucene-analysis-common-9.12.3.jar lib/lucene-analysis-phonetic-9.12.3.jar lib/lucene-core-9.12.3.jar diff --git a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt index 2c93d8ee53..c41d8f1344 100644 --- a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt +++ b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt @@ -32,11 +32,11 @@ jaxb-runtime-4.0.2.jar jaxb-core-4.0.2.jar jakarta.xml.bind-api-4.0.2.jar jopt-simple-5.0.4.jar -log4j-slf4j-impl-2.25.3.jar -log4j-core-2.25.3.jar -log4j-jcl-2.25.3.jar -log4j-jul-2.25.3.jar -log4j-api-2.25.3.jar +log4j-slf4j-impl-2.25.4.jar +log4j-core-2.25.4.jar +log4j-jcl-2.25.4.jar +log4j-jul-2.25.4.jar +log4j-api-2.25.4.jar spring-aop-6.1.21.jar spring-shell-autoconfigure-3.3.3.jar spring-shell-standard-commands-3.3.3.jar diff --git a/geode-docs/managing/logging/configuring_log4j2.html.md.erb b/geode-docs/managing/logging/configuring_log4j2.html.md.erb index 46f88f40a5..04f5f57448 100644 --- a/geode-docs/managing/logging/configuring_log4j2.html.md.erb +++ b/geode-docs/managing/logging/configuring_log4j2.html.md.erb @@ -36,16 +36,16 @@ You can also configure Log4j 2 to work with various popular and commonly used lo For example, if you are using: -- **Commons Logging**, download "Commons Logging Bridge" (`log4j-jcl-2.25.3.jar`) -- **SLF4J**, download "SLFJ4 Binding" (`log4j-slf4j-impl-2.25.3.jar`) -- **java.util.logging**, download the "JUL adapter" (`log4j-jul-2.25.3.jar`) +- **Commons Logging**, download "Commons Logging Bridge" (`log4j-jcl-2.25.4.jar`) +- **SLF4J**, download "SLFJ4 Binding" (`log4j-slf4j-impl-2.25.4.jar`) +- **java.util.logging**, download the "JUL adapter" (`log4j-jul-2.25.4.jar`) See [http://logging.apache.org/log4j/2.x/faq.html](http://logging.apache.org/log4j/2.x/faq.html) for more examples. -All three of the above JAR files are in the full distribution of Log4J 2.25.3 which can be downloaded at [http://logging.apache.org/log4j/2.x/download.html](http://logging.apache.org/log4j/2.x/download.html). Download the appropriate bridge, adapter, or binding JARs to ensure that <%=vars.product_name%> logging is integrated with every logging API used in various third-party libraries or in your own applications. +All three of the above JAR files are in the full distribution of Log4J 2.25.4 which can be downloaded at [http://logging.apache.org/log4j/2.x/download.html](http://logging.apache.org/log4j/2.x/download.html). Download the appropriate bridge, adapter, or binding JARs to ensure that <%=vars.product_name%> logging is integrated with every logging API used in various third-party libraries or in your own applications. **Note:** -<%=vars.product_name_long%> has been tested with Log4j 2.25.3. As newer versions of Log4j 2 come out, you can find 2.25.3 under Previous Releases on that page. +<%=vars.product_name_long%> has been tested with Log4j 2.25.4. As newer versions of Log4j 2 come out, you can find 2.25.4 under Previous Releases on that page. ## Customizing Your Own log4j2.xml File diff --git a/geode-docs/managing/logging/how_logging_works.html.md.erb b/geode-docs/managing/logging/how_logging_works.html.md.erb index 4103bce48e..e912b90190 100644 --- a/geode-docs/managing/logging/how_logging_works.html.md.erb +++ b/geode-docs/managing/logging/how_logging_works.html.md.erb @@ -21,9 +21,9 @@ limitations under the License. <%=vars.product_name%> uses [Apache Log4j 2](http://logging.apache.org/log4j/2.x/) API and Core libraries as the basis for its logging system. Log4j 2 API is a popular and powerful front-end logging API used by all the <%=vars.product_name%> classes to generate log statements. Log4j 2 Core is a backend implementation for logging; you can route any of the front-end logging API libraries to log to this backend. <%=vars.product_name%> uses the Core backend to run three custom Log4j 2 Append [...] -<%=vars.product_name%> has been tested with Log4j 2.25.3. +<%=vars.product_name%> has been tested with Log4j 2.25.4. <%=vars.product_name%> requires the -`log4j-api-2.25.3.jar` and `log4j-core-2.25.3.jar` +`log4j-api-2.25.4.jar` and `log4j-core-2.25.4.jar` JAR files to be in the classpath. Both of these JARs are distributed in the `<path-to-product>/lib` directory and included in the appropriate `*-dependencies.jar` convenience libraries. diff --git a/geode-docs/tools_modules/http_session_mgmt/weblogic_setting_up_the_module.html.md.erb b/geode-docs/tools_modules/http_session_mgmt/weblogic_setting_up_the_module.html.md.erb index 26bfb69b94..cf516e18b6 100644 --- a/geode-docs/tools_modules/http_session_mgmt/weblogic_setting_up_the_module.html.md.erb +++ b/geode-docs/tools_modules/http_session_mgmt/weblogic_setting_up_the_module.html.md.erb @@ -108,9 +108,9 @@ If you are deploying an ear file: lib/geode-serialization-2.0.0.jar lib/jakarta.transaction-api-2.0.1.jar lib/jgroups-3.6.20.Final.jar - lib/log4j-api-2.25.3.jar - lib/log4j-core-2.25.3.jar - lib/log4j-jul-2.25.3.jar + lib/log4j-api-2.25.4.jar + lib/log4j-core-2.25.4.jar + lib/log4j-jul-2.25.4.jar ``` ## <a id="weblogic_setting_up_the_module__section_20294A39368D4402AEFB3D074E8D5887" class="no-quick-link"></a>Peer-to-Peer Setup diff --git a/geode-log4j/build.gradle b/geode-log4j/build.gradle index 9d0cd64d89..e3908f84c4 100644 --- a/geode-log4j/build.gradle +++ b/geode-log4j/build.gradle @@ -84,7 +84,7 @@ dependencies { // Log4j 2.20.0+ moved test utilities to log4j-core-test with new package names: // org.apache.logging.log4j.junit → org.apache.logging.log4j.core.test.junit // org.apache.logging.log4j.test → org.apache.logging.log4j.core.test - // log4j-core-test 2.25.3 transitively depends on assertj-core 3.27.3, but Geode's + // log4j-core-test 2.25.4 transitively depends on assertj-core 3.27.3, but Geode's // custom AssertJ assertions were built against 3.22.0. Force 3.22.0 to avoid // NoSuchMethodError: CommonValidations.failIfEmptySinceActualIsNotEmpty integrationTestImplementation('org.apache.logging.log4j:log4j-core-test') { diff --git a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt index 04ddf2d57b..2071d8d928 100644 --- a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt +++ b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt @@ -33,11 +33,11 @@ commons-lang3-3.18.0.jar jaxb-runtime-4.0.2.jar jaxb-core-4.0.2.jar jakarta.xml.bind-api-4.0.2.jar -log4j-slf4j-impl-2.25.3.jar -log4j-core-2.25.3.jar -log4j-jcl-2.25.3.jar -log4j-jul-2.25.3.jar -log4j-api-2.25.3.jar +log4j-slf4j-impl-2.25.4.jar +log4j-core-2.25.4.jar +log4j-jcl-2.25.4.jar +log4j-jul-2.25.4.jar +log4j-api-2.25.4.jar spring-shell-starter-3.3.3.jar rmiio-2.1.2.jar antlr-2.7.7.jar
