[jira] [Commented] (GEODE-10544) Apache Log4j Core Security Remediation

Mon, 16 Mar 2026 14:54:07 -0700 


    [ 
https://issues.apache.org/jira/browse/GEODE-10544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18066205#comment-18066205
 ] 

ASF subversion and git services commented on GEODE-10544:
---------------------------------------------------------

Commit 721597b33fd1c916a3df8881d03152ee0164efcf in geode's branch 
refs/heads/support/1.15 from Jinwoo Hwang
[ https://gitbox.apache.org/repos/asf?p=geode.git;h=721597b33f ]

GEODE-10544: Upgrade Apache Log4j from version 2.17.2 to 2.25.3 to remediate 
security vulnerability CVE-2025-68161. (#7978)

* GEODE-10544: Upgrade Log4j from 2.17.2 to 2.25.3

- Updated Log4j version to 2.25.3 in dependency constraints
- Added GraalVM annotation processor configuration for geode-log4j
- Migrated test dependencies from log4j-core::tests to log4j-core-test artifact
- Updated 20 integration test files to use new package structure:
  * org.apache.logging.log4j.junit -> org.apache.logging.log4j.core.test.junit
  * org.apache.logging.log4j.test.appender -> 
org.apache.logging.log4j.core.test.appender
- Suppressed deprecation warning for Message.getFormat() method
- Added exclusions for Maven transitive dependencies to resolve Guava conflicts
- All quality checks pass: build, spotlessCheck, rat, checkPom, japicmp

* Fix integration test failures for Log4j 2.25.3

- Exclude JUnit 5.13.2 from log4j-core-test (conflicts with project's 5.8.2)
- Exclude assertj-core 3.27.3 from log4j-core-test (conflicts with Geode's 
3.22.0)
- Add detailed comments explaining the exclusions

This fixes the 26 integration test failures that occurred after upgrading
Log4j from 2.17.2 to 2.25.3. The failures were caused by version conflicts
in transitive dependencies brought in by log4j-core-test.

Tested: ./gradlew :geode-log4j:integrationTest passes successfully

* Update build.gradle comments to explain all 5 dependency exclusions

- Document maven-core exclusion (Guava conflict)
- Document log4j-api-test exclusion (brings JUnit 5.13.2)
- Document junit.jupiter/platform exclusions (version mismatch with 5.8.2)
- Clarify all exclusions are required for support/1.15 branch

> Apache Log4j Core Security Remediation
> --------------------------------------
>
>                 Key: GEODE-10544
>                 URL: https://issues.apache.org/jira/browse/GEODE-10544
>             Project: Geode
>          Issue Type: Improvement
>            Reporter: Jinwoo Hwang
>            Assignee: Jinwoo Hwang
>            Priority: Major
>             Fix For: 1.15.3
>
>
> Remediation of the security vulnerabilities reported in Apache Log4j Core
>  * [CVE-2025-68161|https://nvd.nist.gov/vuln/detail/CVE-2025-68161]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to