GEODE-10579: Remediate CVE-2026-34478 - Improper Output Neutralization for Logs

[JinwooHwang]

Summary

Upgrade Apache Log4j from 2.25.3 to 2.25.4 to remediate CVE-2026-34478.

Security Vulnerability

Field	Detail
CVE	CVE-2026-34478
CVSS	6.9 MEDIUM (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N)
CWE	CWE-117 Improper Output Neutralization for Logs, CWE-684 Incorrect Provision of Specified Functionality
Affected versions	Log4j Core 2.21.0 through 2.25.3
Fixed in	Log4j Core 2.25.4
Published	2026-04-10

Description

Log4j Core's Rfc5424Layout (versions 2.21.0 through 2.25.3) is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:

1. newLineEscape attribute silently renamed — Newline escaping stopped working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.
2. useTlsMessageFormat attribute silently renamed — Users of TLS framing (RFC 5425) were silently downgraded to unframed TCP (RFC 6587) without newline escaping.

Users of the SyslogAppender are not affected, as its configuration attributes were not modified.

Changes

Pure version string replacement of 2.25.3 → 2.25.4 across 10 files (33 insertions, 33 deletions):

File	What changed
build-tools/geode-dependency-management/.../DependencyConstraints.groovy	Central managed version definition
geode-assembly/.../management/build.gradle	Hardcoded log4j-slf4j-impl dependency
boms/geode-all-bom/.../expected-pom.xml	5 <version> entries in expected POM
geode-assembly/.../assembly_content.txt	5 jar filename references
geode-assembly/.../gfsh_dependency_classpath.txt	5 jar filename references
geode-server-all/.../dependency_classpath.txt	5 jar filename references
geode-docs/.../configuring_log4j2.html.md.erb	Documentation references
geode-docs/.../how_logging_works.html.md.erb	Documentation references
geode-docs/.../weblogic_setting_up_the_module.html.md.erb	Documentation references

No code logic changes — this is a dependency version bump only.

Verification

• ./gradlew test — BUILD SUCCESSFUL
• No remaining references to 2.25.3 in the codebase
• Rebased cleanly onto latest origin/develop with no merge conflicts

References

• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34478
• Apache advisory: https://logging.apache.org/security.html#CVE-2026-34478
• Upstream fix: Restore support for documented Rfc5424Layout attributes logging-log4j2#4074
• Log4j 2.25.4 release notes: https://logging.apache.org/log4j/2.x/release-notes.html#2.25.4
• Prior Geode Log4j upgrade PR: GEODE-10543: Upgrade Log4j from 2.17.2 to 2.25.3 to remediate CVE-2025-68161 #7975 (GEODE-10543)

For all changes, please confirm:

• Is there a JIRA ticket associated with this PR? Is it referenced in the commit message?
• Has your PR been rebased against the latest commit within the target branch (typically develop)?
• Is your initial contribution a single, squashed commit?
• Does gradlew build run cleanly?
• Have you written or updated unit tests to verify your changes?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?