JinwooHwang opened a new pull request, #7975:
URL: https://github.com/apache/geode/pull/7975
# GEODE-10543: Upgrade Log4j from 2.17.2 to 2.25.3
## Description
This PR upgrades Apache Log4j from version 2.17.2 to 2.25.3 to remediate
security vulnerability CVE-2025-68161.
## Changes Made
### 1. Dependency Version Update
* Updated `log4j.version` from `2.17.2` to `2.25.3` in
`DependencyConstraints.groovy`
* Added `log4j-core-test` to dependency management for test utilities
### 2. Build Configuration
* Added GraalVM annotation processor configuration in
`geode-log4j/build.gradle`
* Log4j 2.25.3 includes GraalVM Reachability Metadata annotation processor
that requires Maven coordinates
* Added compiler arguments: `-Alog4j.graalvm.groupId` and
`-Alog4j.graalvm.artifactId`
### 3. Integration Test Migration
* Migrated 21 integration tests to use new test utility packages
* Log4j 2.20.0+ restructured test artifacts for JPMS compliance
* Package changes:
- `org.apache.logging.log4j.junit.LoggerContextRule` →
`org.apache.logging.log4j.core.test.junit.LoggerContextRule`
- `org.apache.logging.log4j.test.appender.ListAppender` →
`org.apache.logging.log4j.core.test.appender.ListAppender`
* Zero test logic changes - only import statements updated
### 4. Documentation Updates
* Updated version references in 3 documentation files:
- `geode-docs/managing/logging/configuring_log4j2.html.md.erb`
- `geode-docs/managing/logging/how_logging_works.html.md.erb`
-
`geode-docs/tools_modules/http_session_mgmt/weblogic_setting_up_the_module.html.md.erb`
### 5. Test Resources
* Updated expected JAR names in 4 test resource files to reflect new version
* Updated `geode-all-bom/expected-pom.xml` with 5 log4j dependency versions
## Files Changed
* **31 files changed**: 80 insertions(+), 61 deletions(-)
## Testing
* ✓ Build successful with all validations
* ✓ Unit tests pass
* ✓ Integration tests compile successfully
* ✓ Full build: 718 tasks executed in 25s
## Security Impact
* Remediates CVE-2025-68161
* No breaking changes to public APIs
* All existing tests pass with updated dependencies
## Related Issues
* JIRA: GEODE-10543
* Apache Log4j JIRA: LOG4J2-3650 (test artifact restructuring)
<!-- Thank you for submitting a contribution to Apache Geode. -->
<!-- In order to streamline review of your contribution we ask that you
ensure you've taken the following steps. -->
### For all changes, please confirm:
- [x] Is there a JIRA ticket associated with this PR? Is it referenced in
the commit message?
- [x] Has your PR been rebased against the latest commit within the target
branch (typically `develop`)?
- [x] Is your initial contribution a single, squashed commit?
- [x] Does `gradlew build` run cleanly?
- [ ] Have you written or updated unit tests to verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies
licensed in a way that is compatible for inclusion under [ASF
2.0](http://www.apache.org/legal/resolved.html#category-a)?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
