[SCA] Security upgrade @org.apache.logging.log4j:log4j-core from 2.15.0 to 2.25.4

[gwnlng]

This is a PR from Snyk, initiated by the Security team, to fix 3 vulnerabilities in the dependencies of this project.

Snyk changed the following file(s):

• log4shell-goof/log4shell-server/pom.xml

Important

• This PR was automatically generated by our security tool to help you fix known vulnerabilities in your project's third-party libraries more efficiently. However, there is a possibility that these changes could introduce functional regressions or breakages. Please ensure you test this PR thoroughly before merging.
• If you have any questions or concerns, please seek support in the #sca-support Slack channel.

References:

1. Latest project report in Snyk
2. How to access Snyk via SSO?
3. Snyk knowledge base

[gwnlng]

Upgrading log4j-core from version 2.15.0 to 2.25.4 introduces significant changes, including critical security fixes and several potential breaking changes that require developer attention.

Key Breaking Changes:

• High-Precision Timestamps: A major breaking change was introduced in version 2.24.0. The XML, JSON, and YAML structured log formats no longer include the timeMillis attribute. It has been replaced with an Instant object containing epochSecond and nanoOfSecond attributes. [8] Applications that parse these log formats will need to be updated.
• Removed Modules: Starting from version 2.24.0, several modules are no longer part of the main release and must be managed as separate dependencies. This includes log4j-flume-ng, log4j-kubernetes, and log4j-mongodb3. [8]
• Security Hardening: In response to vulnerabilities like Log4Shell, versions subsequent to 2.15.0 introduced stricter security defaults. JNDI lookups are disabled by default, and enabling scripting languages now requires explicit configuration via a system property. [2, 3]
• SLF4J Binding Compatibility: Due to a compatibility break, Log4j now provides two separate SLF4J adapters. Developers must ensure they use the correct adapter (log4j-slf4j-impl for SLF4J 1.7.x or log4j-slf4j2-impl for SLF4J 2.x). [4, 6]

Recommendation:

Given that the starting version 2.15.0 is known to have critical vulnerabilities, this upgrade is necessary. [11] However, due to the high-impact breaking changes, thorough testing is required. Developers should:

1. Verify if the application parses structured log formats (JSON, XML, YAML) and update the parsing logic for the new timestamp format.
2. Check if the project uses any of the removed modules (log4j-kubernetes, etc.) and add them as explicit dependencies if needed.
3. Confirm that logging configurations do not rely on the old, insecure defaults for JNDI or scripting.

Source: Apache Log4j Release Notes [8]

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[gwnlng]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.