GEODE-10579: Remediate CVE-2026-34478 - Improper Output Neutralization for Logs (#8005)

Upgrade Apache Log4j from 2.25.3 to 2.25.4 to remediate CVE-2026-34478
(CVSS 6.9 MEDIUM).

VULNERABILITY:
  Log4j Core's Rfc5424Layout (versions 2.21.0 through 2.25.3) is
  vulnerable to log injection via CRLF sequences due to undocumented
  renames of security-relevant configuration attributes (CWE-117,
  CWE-684). Two issues affect users of stream-based syslog services:
  - The newLineEscape attribute was silently renamed, disabling newline
    escaping for TCP framing (RFC 6587) and exposing CRLF injection.
  - The useTlsMessageFormat attribute was silently renamed, silently
    downgrading TLS framing (RFC 5425) to unframed TCP without newline
    escaping.

REMEDIATION:
  Updated all Log4j dependency references from 2.25.3 to 2.25.4 across
  dependency constraints, build files, documentation, and test resources.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2026-34478
  apache/logging-log4j2#4074
  https://logging.apache.org/security.html#CVE-2026-34478

Author: JinwooHwang

boms/geode-all-bom/src/test/resources/expected-pom.xml

@@ -530,27 +530,27 @@
       <dependency>
         <groupId>org.apache.logging.log4j</groupId>
         <artifactId>log4j-api</artifactId>
-        <version>2.25.3</version>
+        <version>2.25.4</version>
       </dependency>
       <dependency>
         <groupId>org.apache.logging.log4j</groupId>
         <artifactId>log4j-core</artifactId>
-        <version>2.25.3</version>
+        <version>2.25.4</version>
       </dependency>
       <dependency>
         <groupId>org.apache.logging.log4j</groupId>
         <artifactId>log4j-jcl</artifactId>
-        <version>2.25.3</version>
+        <version>2.25.4</version>
       </dependency>
       <dependency>
         <groupId>org.apache.logging.log4j</groupId>
         <artifactId>log4j-jul</artifactId>
-        <version>2.25.3</version>
+        <version>2.25.4</version>
       </dependency>
       <dependency>
         <groupId>org.apache.logging.log4j</groupId>
         <artifactId>log4j-slf4j-impl</artifactId>
-        <version>2.25.3</version>
+        <version>2.25.4</version>
       </dependency>
       <dependency>
         <groupId>org.apache.lucene</groupId>

build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy

@@ -46,7 +46,7 @@ class DependencyConstraints {
     deps.put("jakarta.annotation.version", "2.1.1")
     deps.put("jakarta.ejb.version", "4.0.1")
     deps.put("jgroups.version", "3.6.20.Final")
-    deps.put("log4j.version", "2.25.3")
+    deps.put("log4j.version", "2.25.4")
     deps.put("log4j-slf4j2-impl.version", "2.23.1")
     deps.put("micrometer.version", "1.14.0")
     deps.put("shiro.version", "2.1.0")

geode-assembly/src/acceptanceTest/resources/gradle-test-projects/management/build.gradle

@@ -25,7 +25,7 @@ repositories {
 
 dependencies {
   implementation("${project.group}:geode-core:${project.version}")
-  runtimeOnly('org.apache.logging.log4j:log4j-slf4j-impl:2.25.3')
+  runtimeOnly('org.apache.logging.log4j:log4j-slf4j-impl:2.25.4')
 }
 
 application {

geode-assembly/src/integrationTest/resources/assembly_content.txt

@@ -1012,11 +1012,11 @@ lib/jna-platform-5.11.0.jar
 lib/joda-time-2.12.7.jar
 lib/jopt-simple-5.0.4.jar
 lib/jul-to-slf4j-2.0.17.jar
-lib/log4j-api-2.25.3.jar
-lib/log4j-core-2.25.3.jar
-lib/log4j-jcl-2.25.3.jar
-lib/log4j-jul-2.25.3.jar
-lib/log4j-slf4j-impl-2.25.3.jar
+lib/log4j-api-2.25.4.jar
+lib/log4j-core-2.25.4.jar
+lib/log4j-jcl-2.25.4.jar
+lib/log4j-jul-2.25.4.jar
+lib/log4j-slf4j-impl-2.25.4.jar
 lib/lucene-analysis-common-9.12.3.jar
 lib/lucene-analysis-phonetic-9.12.3.jar
 lib/lucene-core-9.12.3.jar

geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt

@@ -32,11 +32,11 @@ jaxb-runtime-4.0.2.jar
 jaxb-core-4.0.2.jar
 jakarta.xml.bind-api-4.0.2.jar
 jopt-simple-5.0.4.jar
-log4j-slf4j-impl-2.25.3.jar
-log4j-core-2.25.3.jar
-log4j-jcl-2.25.3.jar
-log4j-jul-2.25.3.jar
-log4j-api-2.25.3.jar
+log4j-slf4j-impl-2.25.4.jar
+log4j-core-2.25.4.jar
+log4j-jcl-2.25.4.jar
+log4j-jul-2.25.4.jar
+log4j-api-2.25.4.jar
 spring-aop-6.1.21.jar
 spring-shell-autoconfigure-3.3.3.jar
 spring-shell-standard-commands-3.3.3.jar

geode-docs/managing/logging/configuring_log4j2.html.md.erb

@@ -36,16 +36,16 @@ You can also configure Log4j 2 to work with various popular and commonly used lo
 
 For example, if you are using:
 
--   **Commons Logging**, download "Commons Logging Bridge" (`log4j-jcl-2.25.3.jar`)
--   **SLF4J**, download "SLFJ4 Binding" (`log4j-slf4j-impl-2.25.3.jar`)
--   **java.util.logging**, download the "JUL adapter" (`log4j-jul-2.25.3.jar`)
+-   **Commons Logging**, download "Commons Logging Bridge" (`log4j-jcl-2.25.4.jar`)
+-   **SLF4J**, download "SLFJ4 Binding" (`log4j-slf4j-impl-2.25.4.jar`)
+-   **java.util.logging**, download the "JUL adapter" (`log4j-jul-2.25.4.jar`)
 
 See [http://logging.apache.org/log4j/2.x/faq.html](http://logging.apache.org/log4j/2.x/faq.html) for more examples.
 
-All three of the above JAR files are in the full distribution of Log4J 2.25.3 which can be downloaded at [http://logging.apache.org/log4j/2.x/download.html](http://logging.apache.org/log4j/2.x/download.html). Download the appropriate bridge, adapter, or binding JARs to ensure that <%=vars.product_name%> logging is integrated with every logging API used in various third-party libraries or in your own applications.
+All three of the above JAR files are in the full distribution of Log4J 2.25.4 which can be downloaded at [http://logging.apache.org/log4j/2.x/download.html](http://logging.apache.org/log4j/2.x/download.html). Download the appropriate bridge, adapter, or binding JARs to ensure that <%=vars.product_name%> logging is integrated with every logging API used in various third-party libraries or in your own applications.
 
 **Note:**
-<%=vars.product_name_long%> has been tested with Log4j 2.25.3. As newer versions of Log4j 2 come out, you can find 2.25.3 under Previous Releases on that page.
+<%=vars.product_name_long%> has been tested with Log4j 2.25.4. As newer versions of Log4j 2 come out, you can find 2.25.4 under Previous Releases on that page.
 
 ## Customizing Your Own log4j2.xml File
 

geode-docs/managing/logging/how_logging_works.html.md.erb

@@ -21,9 +21,9 @@ limitations under the License.
 
 <%=vars.product_name%> uses [Apache Log4j 2](http://logging.apache.org/log4j/2.x/) API and Core libraries as the basis for its logging system. Log4j 2 API is a popular and powerful front-end logging API used by all the <%=vars.product_name%> classes to generate log statements. Log4j 2 Core is a backend implementation for logging; you can route any of the front-end logging API libraries to log to this backend. <%=vars.product_name%> uses the Core backend to run three custom Log4j 2 Appenders: **GeodeConsole**, **GeodeLogWriter**, and **GeodeAlert**.
 
-<%=vars.product_name%> has been tested with Log4j 2.25.3.
+<%=vars.product_name%> has been tested with Log4j 2.25.4.
 <%=vars.product_name%> requires the 
-`log4j-api-2.25.3.jar` and `log4j-core-2.25.3.jar`
+`log4j-api-2.25.4.jar` and `log4j-core-2.25.4.jar`
 JAR files to be in the classpath.
 Both of these JARs are distributed in the `<path-to-product>/lib` directory and included in the appropriate `*-dependencies.jar` convenience libraries.
 

geode-docs/tools_modules/http_session_mgmt/weblogic_setting_up_the_module.html.md.erb

@@ -108,9 +108,9 @@ If you are deploying an ear file:
     lib/geode-serialization-2.0.0.jar
     lib/jakarta.transaction-api-2.0.1.jar
     lib/jgroups-3.6.20.Final.jar
-    lib/log4j-api-2.25.3.jar
-    lib/log4j-core-2.25.3.jar
-    lib/log4j-jul-2.25.3.jar
+    lib/log4j-api-2.25.4.jar
+    lib/log4j-core-2.25.4.jar
+    lib/log4j-jul-2.25.4.jar
     ```
 
 ## <a id="weblogic_setting_up_the_module__section_20294A39368D4402AEFB3D074E8D5887" class="no-quick-link"></a>Peer-to-Peer Setup

geode-log4j/build.gradle

@@ -84,7 +84,7 @@ dependencies {
   // Log4j 2.20.0+ moved test utilities to log4j-core-test with new package names:
   // org.apache.logging.log4j.junit → org.apache.logging.log4j.core.test.junit
   // org.apache.logging.log4j.test → org.apache.logging.log4j.core.test
-  // log4j-core-test 2.25.3 transitively depends on assertj-core 3.27.3, but Geode's
+  // log4j-core-test 2.25.4 transitively depends on assertj-core 3.27.3, but Geode's
   // custom AssertJ assertions were built against 3.22.0. Force 3.22.0 to avoid
   // NoSuchMethodError: CommonValidations.failIfEmptySinceActualIsNotEmpty
   integrationTestImplementation('org.apache.logging.log4j:log4j-core-test') {

geode-server-all/src/integrationTest/resources/dependency_classpath.txt

@@ -33,11 +33,11 @@ commons-lang3-3.18.0.jar
 jaxb-runtime-4.0.2.jar
 jaxb-core-4.0.2.jar
 jakarta.xml.bind-api-4.0.2.jar
-log4j-slf4j-impl-2.25.3.jar
-log4j-core-2.25.3.jar
-log4j-jcl-2.25.3.jar
-log4j-jul-2.25.3.jar
-log4j-api-2.25.3.jar
+log4j-slf4j-impl-2.25.4.jar
+log4j-core-2.25.4.jar
+log4j-jcl-2.25.4.jar
+log4j-jul-2.25.4.jar
+log4j-api-2.25.4.jar
 spring-shell-starter-3.3.3.jar
 rmiio-2.1.2.jar
 antlr-2.7.7.jar