[
https://issues.apache.org/jira/browse/GEODE-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18065340#comment-18065340
]
ASF subversion and git services commented on GEODE-10555:
---------------------------------------------------------
Commit ed45800813338a5eb6b83d5cd827d47a70f96b02 in geode's branch
refs/heads/support/2.0 from Jinwoo Hwang
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=ed45800813 ]
GEODE-10555: Remediate CVE-2024-12798 CVE-2024-12801 CVE-2025-11226
CVE-2026-1225 (#7982)
* GEODE-10555: Remediate CVEs
- Add global exclusion of ch.qos.logback to prevent transitive inclusion
- Remediate CVE-2024-12798, CVE-2024-12801, CVE-2025-11226, CVE-2026-1225
- Update expected POM files to reflect dependency changes
- All logging routed through Log4j 2 via log4j-slf4j-impl
* Update geode-server-all expected dependency classpath
Remove logback-classic and logback-core from expected dependencies
* Update assembly integration test expected files
- Remove logback-classic and logback-core from assembly_content.txt
- Remove logback from expected_jars.txt (bundled jars)
- Remove logback from gfsh_dependency_classpath.txt
> Remediate Logback CVE-2024-12798, CVE-2024-12801, CVE-2025-11226,
> CVE-2026-1225
> -------------------------------------------------------------------------------
>
> Key: GEODE-10555
> URL: https://issues.apache.org/jira/browse/GEODE-10555
> Project: Geode
> Issue Type: Improvement
> Affects Versions: 2.0.0
> Reporter: Jinwoo Hwang
> Assignee: Jinwoo Hwang
> Priority: Major
>
> h2. Description
> Geode's runtime classpath includes Logback dependencies
> (logback-classic:1.5.11, logback-core:1.5.11) that contain known security
> vulnerabilities:
> * CVE-2024-12798
> * CVE-2024-12801
> * CVE-2025-11226
> * CVE-2026-1225
> h2. Current State
> * Logback version: 1.5.11 (vulnerable)
> * Source: Transitive from spring-boot-starter-logging:3.3.5
> h2. Investigation Required
> * Verify no transitive usage through Spring Boot components
> * Check if newer Logback versions address all CVEs
> * Test impact on Spring Boot autoconfiguration
> h2. Acceptance Criteria
> * All CVE-2024-12798, CVE-2024-12801, CVE-2025-11226, CVE-2026-1225 resolved
> * All tests pass (unit, integration, distributed, acceptance)
> * No regression in logging functionality
> * CVE scanner confirms vulnerabilities remediated
> * Documentation updated if logging configuration changes
> h2. Files Potentially Affected
> * build.gradle (root)
> * geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
> * geode-assembly/src/integrationTest/resources/expected_jars.txt
> * geode-assembly/src/integrationTest/resources/assembly_content.txt
> * geode-server-all/src/integrationTest/resources/dependency_classpath.txt
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
