Skip to content

Bump org.apache.logging.log4j:log4j-core from 2.22.1 to 2.25.3 #18874

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
abhishekrb19 merged 1 commit into from
Dec 29, 2025
Merged

Bump org.apache.logging.log4j:log4j-core from 2.22.1 to 2.25.3 #18874

abhishekrb19 merged 1 commit into from
Dec 29, 2025

Conversation

@ashwintumma23
Copy link
Contributor

@ashwintumma23 ashwintumma23 commented Dec 29, 2025

Description

Summary ...

Updates org.apache.logging.log4j:log4j-core from 2.22.1 to 2.25.3 to address CVE-2025-68161.

References

CVE-2025-68161: https://nvd.nist.gov/vuln/detail/CVE-2025-68161

Reason for upgrade

  • Upgrading resolves the vulnerability (CVE-2025-68161) and ensures Druid uses a secure version of org.apache.logging.log4j:log4j-core dependency.
  • This prevents a Man-in-the-Middle attacker to intercept or redirect log traffic under the following conditions:
    • The attacker is able to intercept or redirect network traffic between the client and the log receiver.
    • The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).

Tests

  • Verified the dependency resolves correctly
  • Build completes successfully with the updated version

Release note

Upgraded org.apache.logging.log4j:log4j-core version to 2.25.3 to resolve CVE-2025-68161.

Key changed/added classes in this PR
  • Top Level pom.xml

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

abhishekrb19
abhishekrb19 reviewed Dec 29, 2025
View reviewed changes
Copy link
Contributor

@abhishekrb19 abhishekrb19 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @ashwintumma23!

By default, the docs and quickstart don’t use the SocketAppender in the log4j config, so this vulnerability isn’t directly applicable. But it’s still good to update the dependency to pick up the fix and to cover configurations that may be in use out in the wild.

@abhishekrb19 abhishekrb19 merged commit 150a457 into apache:master Dec 29, 2025
49 checks passed
@ashwintumma23 ashwintumma23 deleted the log4j branch December 29, 2025 20:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abhishekrb19 abhishekrb19 abhishekrb19 approved these changes

Assignees

No one assigned

Labels

Area - Dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ashwintumma23 @abhishekrb19