[Cosmos][Kafka] Address jackson / netty / log4j CVEs in azure-cosmos-kafka-connect

eng/versioning/external_dependencies.txt

@@ -280,6 +280,9 @@ cosmos_org.testcontainers:kafka;1.21.4
 cosmos_org.sourcelab:kafka-connect-client;4.0.4
 cosmos_io.confluent:kafka-avro-serializer;7.6.0
 cosmos_org.apache.avro:avro;1.11.4
+cosmos_org.apache.logging.log4j:log4j-api;2.25.3
+cosmos_org.apache.logging.log4j:log4j-core;2.25.3
+cosmos_org.apache.logging.log4j:log4j-slf4j-impl;2.25.3
 # Maven Tools for Cosmos Kafka connector only
 
 # sdk\resourcemanager\azure-resourcemanager\pom.xml

sdk/cosmos/azure-cosmos-kafka-connect/CHANGELOG.md

@@ -9,6 +9,8 @@
 #### Bugs Fixed
 
 #### Other Changes
+* Updated `log4j-api`, `log4j-core` and `log4j-slf4j-impl` test dependencies to `2.25.3` to address [CVE-2025-68161](https://github.com/advisories/GHSA-pgxp-9w8h-vfh4) (Apache Log4j: information disclosure via missing TLS hostname verification).
+* Picked up patched versions of `jackson-core` (`2.18.6`) and `netty-codec-http`/`netty-codec-http2` (`4.1.132.Final`) transitively via `azure-cosmos` `4.81.0-beta.1`, addressing [GHSA-72hv-8253-57qq](https://github.com/advisories/GHSA-72hv-8253-57qq), [CVE-2026-33870](https://nvd.nist.gov/vuln/detail/CVE-2026-33870), [CVE-2025-67735](https://nvd.nist.gov/vuln/detail/CVE-2025-67735) and [CVE-2026-33871](https://nvd.nist.gov/vuln/detail/CVE-2026-33871).
 
 ### 2.10.0 (2026-05-01)
 

sdk/cosmos/azure-cosmos-kafka-connect/pom.xml

@@ -181,21 +181,21 @@ Licensed under the MIT License.
     <dependency>
       <groupId>org.apache.logging.log4j</groupId>
       <artifactId>log4j-slf4j-impl</artifactId>
-      <version>2.17.2</version> <!-- {x-version-update;org.apache.logging.log4j:log4j-slf4j-impl;external_dependency} -->
+      <version>2.25.3</version> <!-- {x-version-update;cosmos_org.apache.logging.log4j:log4j-slf4j-impl;external_dependency} -->
       <scope>test</scope>
     </dependency>
 
     <dependency>
       <groupId>org.apache.logging.log4j</groupId>
       <artifactId>log4j-api</artifactId>
-      <version>2.17.2</version> <!-- {x-version-update;org.apache.logging.log4j:log4j-api;external_dependency} -->
+      <version>2.25.3</version> <!-- {x-version-update;cosmos_org.apache.logging.log4j:log4j-api;external_dependency} -->
       <scope>test</scope>
     </dependency>
 
     <dependency>
       <groupId>org.apache.logging.log4j</groupId>
       <artifactId>log4j-core</artifactId>
-      <version>2.17.2</version> <!-- {x-version-update;org.apache.logging.log4j:log4j-core;external_dependency} -->
+      <version>2.25.3</version> <!-- {x-version-update;cosmos_org.apache.logging.log4j:log4j-core;external_dependency} -->
       <scope>test</scope>
     </dependency>