Skip to content

[SCA] Security upgrade @org.apache.logging.log4j:log4j-core from 2.14.1 to 2.25.4 #174

Open
gwnlng wants to merge 2 commits intomainfrom
snyk-fix-57f0fc7408e2f9e63f32c9f42472915e
Open

[SCA] Security upgrade @org.apache.logging.log4j:log4j-core from 2.14.1 to 2.25.4 #174
gwnlng wants to merge 2 commits intomainfrom
snyk-fix-57f0fc7408e2f9e63f32c9f42472915e

Conversation

@gwnlng
Copy link
Copy Markdown
Owner

@gwnlng gwnlng commented Apr 10, 2026

snyk-top-banner

This is a PR from Snyk, initiated by the Security team, to fix 3 vulnerabilities in the dependencies of this project.

Snyk changed the following file(s):

  • log4shell-goof/log4shell-client/pom.xml

Important

  • This PR was automatically generated by our security tool to help you fix known vulnerabilities in your project's third-party libraries more efficiently. However, there is a possibility that these changes could introduce functional regressions or breakages. Please ensure you test this PR thoroughly before merging.
  • If you have any questions or concerns, please seek support in the #sca-support Slack channel.

References:

  1. Latest project report in Snyk
  2. How to access Snyk via SSO?
  3. Snyk knowledge base

@gwnlng
Copy link
Copy Markdown
Owner Author

gwnlng commented Apr 10, 2026

Merge Risk: High

This upgrade spans multiple significant releases, including the critical security updates that addressed the Log4Shell vulnerability (CVE-2021-44228). It introduces several breaking changes and important behavioral modifications that require verification.

Key Breaking Changes:

  • Message Lookups Disabled by Default (v2.15.0+): To mitigate the Log4Shell vulnerability, message lookups (${...}) are no longer enabled by default. If your application relied on this feature, you must explicitly enable it in your pattern layout (e.g., %m{lookups}). However, this is strongly discouraged for security reasons.

  • JNDI Hardening (v2.17.0+): JNDI is now disabled by default. Enabling JNDI features requires setting specific system properties (e.g., log4j2.enableJndiLookup). The generic log4j2.enableJndi property has been removed.

  • Removed Modules (v2.24.0+): The log4j-mongodb3, log4j-flume-ng, and log4j-kubernetes modules have been removed from the main project and now have independent release cycles. If you use these, you must update your project dependencies to include them directly.

  • Java Version: The minimum requirement of Java 8 is unchanged between version 2.14.1 and 2.25.4.

Recommendation:

Due to the security-driven breaking changes, you must carefully review your logging configurations (log4j2.xml, etc.). Verify that your logging patterns and any use of JNDI are still functioning as expected. If you use any of the removed modules, update your build to include the new artifacts.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@gwnlng
Copy link
Copy Markdown
Owner Author

gwnlng commented Apr 10, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gwnlng @snyk-bot