GEODE-10543: Upgrade Log4j from 2.17.2 to 2.25.3 to remediate CVE-202… (#7975)

* GEODE-10543: Upgrade Log4j from 2.17.2 to 2.25.3 to remediate CVE-2025-68161

- Updated log4j version to 2.25.3 in DependencyConstraints.groovy
- Added log4j-core-test dependency for integration tests
- Migrated integration test imports to new log4j-core-test package structure:
  * org.apache.logging.log4j.junit → org.apache.logging.log4j.core.test.junit
  * org.apache.logging.log4j.test → org.apache.logging.log4j.core.test
- Added GraalVM annotation processor configuration to suppress compilation warnings
- Updated documentation references to log4j 2.25.3
- Updated test resource files with new JAR versions

All 21 integration tests migrated with zero logic changes.
Build successful with all tests passing.

* GEODE-10543: Fix GraalVM annotation processor options to apply only to main compilation

The annotation processor options were being applied to all JavaCompile tasks including integration tests, where the Log4j GraalVM processor is not triggered. This caused compilation warnings about unrecognized processor options.

Changed from tasks.withType(JavaCompile) to tasks.named('compileJava') to restrict the configuration to main source compilation only.

* GEODE-10543: Exclude AssertJ 3.27.3 from log4j-core-test to prevent NoSuchMethodError

Log4j 2.25.3's log4j-core-test transitively depends on AssertJ 3.27.3, but Geode's
custom AssertJ assertions (AbstractLogFileAssert) were built against AssertJ 3.22.0.
The CommonValidations.failIfEmptySinceActualIsNotEmpty method signature changed
between versions, causing NoSuchMethodError at runtime.

Exclude assertj-core from log4j-core-test dependency to force usage of 3.22.0,
ensuring binary compatibility with Geode's test infrastructure.

Author: JinwooHwang

boms/geode-all-bom/src/test/resources/expected-pom.xml

@@ -530,27 +530,27 @@
       <dependency>
         <groupId>org.apache.logging.log4j</groupId>
         <artifactId>log4j-api</artifactId>
-        <version>2.17.2</version>
+        <version>2.25.3</version>
       </dependency>
       <dependency>
         <groupId>org.apache.logging.log4j</groupId>
         <artifactId>log4j-core</artifactId>
-        <version>2.17.2</version>
+        <version>2.25.3</version>
       </dependency>
       <dependency>
         <groupId>org.apache.logging.log4j</groupId>
         <artifactId>log4j-jcl</artifactId>
-        <version>2.17.2</version>
+        <version>2.25.3</version>
       </dependency>
       <dependency>
         <groupId>org.apache.logging.log4j</groupId>
         <artifactId>log4j-jul</artifactId>
-        <version>2.17.2</version>
+        <version>2.25.3</version>
       </dependency>
       <dependency>
         <groupId>org.apache.logging.log4j</groupId>
         <artifactId>log4j-slf4j-impl</artifactId>
-        <version>2.17.2</version>
+        <version>2.25.3</version>
       </dependency>
       <dependency>
         <groupId>org.apache.lucene</groupId>

build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy

@@ -46,7 +46,7 @@ class DependencyConstraints {
     deps.put("jakarta.annotation.version", "2.1.1")
     deps.put("jakarta.ejb.version", "4.0.1")
     deps.put("jgroups.version", "3.6.20.Final")
-    deps.put("log4j.version", "2.17.2")
+    deps.put("log4j.version", "2.25.3")
     deps.put("log4j-slf4j2-impl.version", "2.23.1")
     deps.put("micrometer.version", "1.14.0")
     deps.put("shiro.version", "1.13.0")
@@ -258,6 +258,7 @@ class DependencyConstraints {
     dependencySet(group: 'org.apache.logging.log4j', version: get('log4j.version')) {
       entry('log4j-api')
       entry('log4j-core')
+      entry('log4j-core-test')
       entry('log4j-jcl')
       entry('log4j-jul')
       entry('log4j-slf4j-impl')

geode-assembly/src/acceptanceTest/resources/gradle-test-projects/management/build.gradle

@@ -25,7 +25,7 @@ repositories {
 
 dependencies {
   implementation("${project.group}:geode-core:${project.version}")
-  runtimeOnly('org.apache.logging.log4j:log4j-slf4j-impl:2.17.2')
+  runtimeOnly('org.apache.logging.log4j:log4j-slf4j-impl:2.25.3')
 }
 
 application {

geode-assembly/src/integrationTest/resources/assembly_content.txt

@@ -1012,11 +1012,11 @@ lib/jna-platform-5.11.0.jar
 lib/joda-time-2.12.7.jar
 lib/jopt-simple-5.0.4.jar
 lib/jul-to-slf4j-2.0.16.jar
-lib/log4j-api-2.17.2.jar
-lib/log4j-core-2.17.2.jar
-lib/log4j-jcl-2.17.2.jar
-lib/log4j-jul-2.17.2.jar
-lib/log4j-slf4j-impl-2.17.2.jar
+lib/log4j-api-2.25.3.jar
+lib/log4j-core-2.25.3.jar
+lib/log4j-jcl-2.25.3.jar
+lib/log4j-jul-2.25.3.jar
+lib/log4j-slf4j-impl-2.25.3.jar
 lib/logback-classic-1.5.11.jar
 lib/logback-core-1.5.11.jar
 lib/lucene-analysis-common-9.12.3.jar

geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt

@@ -32,11 +32,11 @@ jaxb-runtime-4.0.2.jar
 jaxb-core-4.0.2.jar
 jakarta.xml.bind-api-4.0.2.jar
 jopt-simple-5.0.4.jar
-log4j-slf4j-impl-2.17.2.jar
-log4j-core-2.17.2.jar
-log4j-jcl-2.17.2.jar
-log4j-jul-2.17.2.jar
-log4j-api-2.17.2.jar
+log4j-slf4j-impl-2.25.3.jar
+log4j-core-2.25.3.jar
+log4j-jcl-2.25.3.jar
+log4j-jul-2.25.3.jar
+log4j-api-2.25.3.jar
 spring-aop-6.1.14.jar
 spring-shell-autoconfigure-3.3.3.jar
 spring-shell-standard-commands-3.3.3.jar

geode-docs/managing/logging/configuring_log4j2.html.md.erb

@@ -36,16 +36,16 @@ You can also configure Log4j 2 to work with various popular and commonly used lo
 
 For example, if you are using:
 
--   **Commons Logging**, download "Commons Logging Bridge" (`log4j-jcl-2.17.2.jar`)
--   **SLF4J**, download "SLFJ4 Binding" (`log4j-slf4j-impl-2.17.2.jar`)
--   **java.util.logging**, download the "JUL adapter" (`log4j-jul-2.17.2.jar`)
+-   **Commons Logging**, download "Commons Logging Bridge" (`log4j-jcl-2.25.3.jar`)
+-   **SLF4J**, download "SLFJ4 Binding" (`log4j-slf4j-impl-2.25.3.jar`)
+-   **java.util.logging**, download the "JUL adapter" (`log4j-jul-2.25.3.jar`)
 
 See [http://logging.apache.org/log4j/2.x/faq.html](http://logging.apache.org/log4j/2.x/faq.html) for more examples.
 
-All three of the above JAR files are in the full distribution of Log4J 2.17.2 which can be downloaded at [http://logging.apache.org/log4j/2.x/download.html](http://logging.apache.org/log4j/2.x/download.html). Download the appropriate bridge, adapter, or binding JARs to ensure that <%=vars.product_name%> logging is integrated with every logging API used in various third-party libraries or in your own applications.
+All three of the above JAR files are in the full distribution of Log4J 2.25.3 which can be downloaded at [http://logging.apache.org/log4j/2.x/download.html](http://logging.apache.org/log4j/2.x/download.html). Download the appropriate bridge, adapter, or binding JARs to ensure that <%=vars.product_name%> logging is integrated with every logging API used in various third-party libraries or in your own applications.
 
 **Note:**
-<%=vars.product_name_long%> has been tested with Log4j 2.17.2. As newer versions of Log4j 2 come out, you can find 2.17.2 under Previous Releases on that page.
+<%=vars.product_name_long%> has been tested with Log4j 2.25.3. As newer versions of Log4j 2 come out, you can find 2.25.3 under Previous Releases on that page.
 
 ## Customizing Your Own log4j2.xml File
 

geode-docs/managing/logging/how_logging_works.html.md.erb

@@ -21,9 +21,9 @@ limitations under the License.
 
 <%=vars.product_name%> uses [Apache Log4j 2](http://logging.apache.org/log4j/2.x/) API and Core libraries as the basis for its logging system. Log4j 2 API is a popular and powerful front-end logging API used by all the <%=vars.product_name%> classes to generate log statements. Log4j 2 Core is a backend implementation for logging; you can route any of the front-end logging API libraries to log to this backend. <%=vars.product_name%> uses the Core backend to run three custom Log4j 2 Appenders: **GeodeConsole**, **GeodeLogWriter**, and **GeodeAlert**.
 
-<%=vars.product_name%> has been tested with Log4j 2.17.2.
+<%=vars.product_name%> has been tested with Log4j 2.25.3.
 <%=vars.product_name%> requires the 
-`log4j-api-2.17.2.jar` and `log4j-core-2.17.2.jar`
+`log4j-api-2.25.3.jar` and `log4j-core-2.25.3.jar`
 JAR files to be in the classpath.
 Both of these JARs are distributed in the `<path-to-product>/lib` directory and included in the appropriate `*-dependencies.jar` convenience libraries.
 

geode-docs/tools_modules/http_session_mgmt/weblogic_setting_up_the_module.html.md.erb

@@ -108,9 +108,9 @@ If you are deploying an ear file:
     lib/geode-serialization-2.0.0.jar
     lib/jakarta.transaction-api-2.0.1.jar
     lib/jgroups-3.6.20.Final.jar
-    lib/log4j-api-2.17.2.jar
-    lib/log4j-core-2.17.2.jar
-    lib/log4j-jul-2.17.2.jar
+    lib/log4j-api-2.25.3.jar
+    lib/log4j-core-2.25.3.jar
+    lib/log4j-jul-2.25.3.jar
     ```
 
 ## <a id="weblogic_setting_up_the_module__section_20294A39368D4402AEFB3D074E8D5887" class="no-quick-link"></a>Peer-to-Peer Setup

geode-log4j/build.gradle

@@ -21,6 +21,24 @@ plugins {
   id 'jmh'
 }
 
+// GEODE-10543: Configure GraalVM annotation processor options for Log4j 2.25.3
+// Log4j 2.25.3 includes a GraalVM Reachability Metadata annotation processor that generates
+// plugin descriptors for native image compilation. Without these options, the processor emits
+// warnings about missing Maven coordinates, which are treated as compilation errors by Gradle.
+//
+// These options specify the Maven coordinates (groupId:artifactId) for the generated plugin
+// descriptors, suppressing the warnings and allowing compilation to succeed.
+//
+// Apply only to main source compilation, as integration tests don't trigger the annotation processor.
+//
+// Reference: https://issues.apache.org/jira/browse/LOG4J2-3642
+tasks.named('compileJava').configure {
+  options.compilerArgs += [
+    '-Alog4j.graalvm.groupId=org.apache.geode',
+    '-Alog4j.graalvm.artifactId=geode-log4j'
+  ]
+}
+
 dependencies {
   api(platform(project(':boms:geode-all-bom')))
 
@@ -63,8 +81,15 @@ dependencies {
     exclude module: 'geode-core'
   }
   integrationTestImplementation('junit:junit')
-  integrationTestImplementation('org.apache.logging.log4j:log4j-core::tests')
-  integrationTestImplementation('org.apache.logging.log4j:log4j-core::test-sources')
+  // Log4j 2.20.0+ moved test utilities to log4j-core-test with new package names:
+  // org.apache.logging.log4j.junit → org.apache.logging.log4j.core.test.junit
+  // org.apache.logging.log4j.test → org.apache.logging.log4j.core.test
+  // log4j-core-test 2.25.3 transitively depends on assertj-core 3.27.3, but Geode's
+  // custom AssertJ assertions were built against 3.22.0. Force 3.22.0 to avoid
+  // NoSuchMethodError: CommonValidations.failIfEmptySinceActualIsNotEmpty
+  integrationTestImplementation('org.apache.logging.log4j:log4j-core-test') {
+    exclude group: 'org.assertj', module: 'assertj-core'
+  }
   integrationTestImplementation('org.assertj:assertj-core')
 
   distributedTestImplementation(project(':geode-junit')) {

geode-log4j/src/integrationTest/java/org/apache/geode/alerting/log4j/internal/impl/AlertAppenderIntegrationTest.java

@@ -36,7 +36,7 @@
 import org.apache.logging.log4j.Level;
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.core.LogEvent;
-import org.apache.logging.log4j.junit.LoggerContextRule;
+import org.apache.logging.log4j.core.test.junit.LoggerContextRule;
 import org.junit.After;
 import org.junit.Before;
 import org.junit.BeforeClass;