GEODE-10580: Remediate CVE-2026-34478 - Improper Output Neutralization for Logs (support/1.15)

[JinwooHwang]

Summary

Backport Log4j upgrade from 2.25.3 to 2.25.4 on the support/1.15 branch to remediate CVE-2026-34478. Also corrects stale Log4j version references (2.17.2, 2.12.0, 2.5) in resource files and documentation that were missed during the prior GEODE-10544 upgrade.

Security Vulnerability

Field	Detail
CVE	CVE-2026-34478
CVSS	6.9 MEDIUM (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N)
CWE	CWE-117 Improper Output Neutralization for Logs, CWE-684 Incorrect Provision of Specified Functionality
Affected versions	Log4j Core 2.21.0 through 2.25.3
Fixed in	Log4j Core 2.25.4
Published	2026-04-10

Description

Log4j Core's Rfc5424Layout (versions 2.21.0 through 2.25.3) is vulnerable to log injection via CRLF sequences due to undocumented renames of security-relevant configuration attributes. Two distinct issues affect users of stream-based syslog services who configure Rfc5424Layout directly:

1. newLineEscape attribute silently renamed — Newline escaping stopped working for users of TCP framing (RFC 6587), exposing them to CRLF injection in log output.
2. useTlsMessageFormat attribute silently renamed — Users of TLS framing (RFC 5425) were silently downgraded to unframed TCP (RFC 6587) without newline escaping.

Users of the SyslogAppender are not affected, as its configuration attributes were not modified.

Changes

Version string updates across 10 files (34 insertions, 34 deletions):

File	Old version	What changed
build-tools/geode-dependency-management/.../DependencyConstraints.groovy	2.25.3	Central managed version definition
geode-assembly/.../management/build.gradle	2.12.0	Hardcoded log4j-slf4j-impl dependency
boms/geode-all-bom/.../expected-pom.xml	2.17.2 (×5)	5 <version> entries in expected POM
geode-assembly/.../assembly_content.txt	2.17.2 (×5)	5 jar filename references
geode-assembly/.../gfsh_dependency_classpath.txt	2.17.2 (×5)	5 jar filename references
geode-server-all/.../dependency_classpath.txt	2.17.2 (×5)	5 jar filename references
geode-docs/.../configuring_log4j2.html.md.erb	2.17.2 (×5)	Documentation references
geode-docs/.../how_logging_works.html.md.erb	2.17.2 (×2)	Documentation references
geode-docs/.../weblogic_setting_up_the_module.html.md.erb	2.5 (×3)	Documentation jar filename references

Note: The prior GEODE-10544 upgrade (2.17.2 → 2.25.3) on support/1.15 only updated DependencyConstraints.groovy, geode-log4j/build.gradle, and 20 Java test import files. It missed the resource files, expected POM, documentation, and management build.gradle — all of which still referenced older versions. This PR corrects all of them to 2.25.4.

No code logic changes — this is a dependency version bump only.

References

• NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34478
• Apache advisory: https://logging.apache.org/security.html#CVE-2026-34478
• Upstream fix: Restore support for documented Rfc5424Layout attributes logging-log4j2#4074
• Log4j 2.25.4 release notes: https://logging.apache.org/log4j/2.x/release-notes.html#2.25.4

For all changes, please confirm:

• Is there a JIRA ticket associated with this PR? Is it referenced in the commit message?
• Has your PR been rebased against the latest commit within the target branch (typically develop)?
• Is your initial contribution a single, squashed commit?
• Does gradlew build run cleanly?
• Have you written or updated unit tests to verify your changes?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?