JinwooHwang opened a new pull request, #8005: URL: https://github.com/apache/geode/pull/8005
## Summary Upgrade Apache Log4j from **2.25.3** to **2.25.4** to remediate [CVE-2026-34478](https://nvd.nist.gov/vuln/detail/CVE-2026-34478). ## Security Vulnerability | Field | Detail | |-------|--------| | **CVE** | [CVE-2026-34478](https://nvd.nist.gov/vuln/detail/CVE-2026-34478) | | **CVSS** | 6.9 MEDIUM (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N) | | **CWE** | [CWE-117](https://cwe.mitre.org/data/definitions/117.html) Improper Output Neutralization for Logs, [CWE-684](https://cwe.mitre.org/data/definitions/684.html) Incorrect Provision of Specified Functionality | | **Affected versions** | Log4j Core 2.21.0 through 2.25.3 | | **Fixed in** | Log4j Core 2.25.4 | | **Published** | 2026-04-10 | ### Description Log4j Core's `Rfc5424Layout` (versions 2.21.0 through 2.25.3) is vulnerable to **log injection via CRLF sequences** due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure `Rfc5424Layout` directly: 1. **`newLineEscape` attribute silently renamed** — Newline escaping stopped working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output. 2. **`useTlsMessageFormat` attribute silently renamed** — Users of TLS framing (RFC 5425) were silently downgraded to unframed TCP (RFC 6587) without newline escaping. > Users of the `SyslogAppender` are not affected, as its configuration attributes were not modified. ## Changes Pure version string replacement of `2.25.3` → `2.25.4` across **10 files** (33 insertions, 33 deletions): | File | What changed | |------|-------------| | `build-tools/geode-dependency-management/.../DependencyConstraints.groovy` | Central managed version definition | | `geode-assembly/.../management/build.gradle` | Hardcoded `log4j-slf4j-impl` dependency | | `boms/geode-all-bom/.../expected-pom.xml` | 5 `<version>` entries in expected POM | | `geode-assembly/.../assembly_content.txt` | 5 jar filename references | | `geode-assembly/.../gfsh_dependency_classpath.txt` | 5 jar filename references | | `geode-server-all/.../dependency_classpath.txt` | 5 jar filename references | | `geode-docs/.../configuring_log4j2.html.md.erb` | Documentation references | | `geode-docs/.../how_logging_works.html.md.erb` | Documentation references | | `geode-docs/.../weblogic_setting_up_the_module.html.md.erb` | Documentation references | No code logic changes — this is a dependency version bump only. ## Verification - [x] `./gradlew test` — **BUILD SUCCESSFUL** - [x] No remaining references to `2.25.3` in the codebase - [x] Rebased cleanly onto latest `origin/develop` with no merge conflicts ## References - **NVD**: https://nvd.nist.gov/vuln/detail/CVE-2026-34478 - **Apache advisory**: https://logging.apache.org/security.html#CVE-2026-34478 - **Upstream fix**: https://github.com/apache/logging-log4j2/pull/4074 - **Log4j 2.25.4 release notes**: https://logging.apache.org/log4j/2.x/release-notes.html#2.25.4 - **Prior Geode Log4j upgrade PR**: https://github.com/apache/geode/pull/7975 (GEODE-10543) <!-- Thank you for submitting a contribution to Apache Geode. --> <!-- In order to streamline review of your contribution we ask that you ensure you've taken the following steps. --> ### For all changes, please confirm: - [x] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [x] Has your PR been rebased against the latest commit within the target branch (typically `develop`)? - [x] Is your initial contribution a single, squashed commit? - [x] Does `gradlew build` run cleanly? - [ ] Have you written or updated unit tests to verify your changes? - [ ] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
