[Cosmos][Kafka] Address jackson / netty / log4j CVEs in azure-cosmos-kafka-connect

[tvaron3]

Description

Addresses the following CVEs reported against the published microsoftcorporation-kafka-connect-cosmos v1.18.0 connector for the azure-cosmos-kafka-connect module.

CVE / Advisory	Package	Installed	Fixed	Severity	How it's fixed
GHSA-72hv-8253-57qq	com.fasterxml.jackson.core:jackson-core	2.18.4.1	2.18.6	MEDIUM	Already patched transitively via azure-cosmos 4.81.0-beta.1 (azure-core 1.58.0 pins jackson-core 2.18.6)
CVE-2026-33870	io.netty:netty-codec-http	4.1.127.Final	4.1.132.Final	HIGH	Already patched transitively via azure-core-http-netty 1.16.4
CVE-2025-67735	io.netty:netty-codec-http	4.1.127.Final	4.1.132.Final	MEDIUM	Same as above
CVE-2026-33871	io.netty:netty-codec-http2	4.1.127.Final	4.1.132.Final	HIGH	Same as above
CVE-2025-68161	org.apache.logging.log4j:log4j-core	2.17.1	2.25.3	MEDIUM	Explicitly bumped (test scope) via new cosmos_*-prefixed tokens in this PR

Changes

• eng/versioning/external_dependencies.txt — add three cosmos_org.apache.logging.log4j:* tokens at 2.25.3 so the kafka connector can advance independently of the global 2.17.2 pin used elsewhere (this mirrors the existing pattern for cosmos_org.apache.kafka:*, cosmos_io.confluent:*, etc.).
• sdk/cosmos/azure-cosmos-kafka-connect/pom.xml — switch the three log4j-* test-scope dependencies to the new tokens at 2.25.3. No other cosmos modules are affected.
• sdk/cosmos/azure-cosmos-kafka-connect/CHANGELOG.md — document the CVE fixes under the existing 2.11.0-beta.1 entry.

Why not pin jackson / netty explicitly?

azure-cosmos already aligns the full jackson and netty families to patched versions. Adding explicit pins here would (a) duplicate the alignment point, (b) risk version skew against jackson-databind / jackson-annotations / the rest of the netty family which are also managed transitively, and (c) be silently overridden by azure-cosmos bumps in the future. Letting the transitive chain do the work is the lower-risk option.

Scope notes

• log4j-api, log4j-core, and log4j-slf4j-impl are <scope>test</scope> in pom.xml. They are not shaded into the published uber jar (maven-shade-plugin does not include test scope by default). The bump is purely to satisfy SBOM scanners that read the dependency-reduced POM published by the shade plugin.
• The stale azure-cosmos-kafka-connect-1.0.0-beta.5.jar files that may appear locally under src/docker/connectors/ and src/test/connectorPlugins/connectors/ are gitignored and never published — build.sh deletes and rebuilds them before integration tests run. No action needed.

Validation

• eng/versioning/pom_file_version_scanner.ps1 — passes (version comments match external_dependencies.txt).
• Local maven package build was attempted but could not complete due to ADO feed auth in this dev environment (com.azure:azure-cosmos:pom:4.81.0-beta.1 returns 401). The repo pipeline will exercise the full build.

Related

Equivalent fixes may be needed in the standalone Confluent Hub v1 connector repo (out of scope for this PR).