GEODE-10555: Remediate CVE-2024-12798 CVE-2024-12801 CVE-2025-11226 CVE-2026-1225 (#7982)

* GEODE-10555: Remediate CVEs

- Add global exclusion of ch.qos.logback to prevent transitive inclusion
- Remediate CVE-2024-12798, CVE-2024-12801, CVE-2025-11226, CVE-2026-1225
- Update expected POM files to reflect dependency changes
- All logging routed through Log4j 2 via log4j-slf4j-impl

* Update geode-server-all expected dependency classpath

Remove logback-classic and logback-core from expected dependencies

* Update assembly integration test expected files

- Remove logback-classic and logback-core from assembly_content.txt
- Remove logback from expected_jars.txt (bundled jars)
- Remove logback from gfsh_dependency_classpath.txt

Author: JinwooHwang

build.gradle

@@ -80,8 +80,11 @@ allprojects {
   // Exclude 'log4j-to-slf4j' globally. Geode's logging architecture requires Log4j Core to be the primary logging implementation,
   // with SLF4J calls being routed TO Log4j (via log4j-slf4j-impl), not the other way around.
   //
+  // Logback is unused (transitive from spring-boot-starter-logging). Geode uses Log4j 2 for all logging.
+  //
   configurations.all {
     exclude group: 'org.apache.logging.log4j', module: 'log4j-to-slf4j'
+    exclude group: 'ch.qos.logback'
   }
 
   buildRoot = buildRoot.trim()

extensions/geode-modules-tomcat10/src/test/resources/expected-pom.xml

@@ -55,6 +55,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -66,6 +70,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
   </dependencies>

extensions/geode-modules/src/test/resources/expected-pom.xml

@@ -55,6 +55,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -66,6 +70,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -77,6 +85,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -88,6 +100,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -99,6 +115,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -110,6 +130,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -121,6 +145,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
   </dependencies>

geode-assembly/src/integrationTest/resources/assembly_content.txt

@@ -1017,8 +1017,6 @@ lib/log4j-core-2.25.3.jar
 lib/log4j-jcl-2.25.3.jar
 lib/log4j-jul-2.25.3.jar
 lib/log4j-slf4j-impl-2.25.3.jar
-lib/logback-classic-1.5.11.jar
-lib/logback-core-1.5.11.jar
 lib/lucene-analysis-common-9.12.3.jar
 lib/lucene-analysis-phonetic-9.12.3.jar
 lib/lucene-core-9.12.3.jar

geode-assembly/src/integrationTest/resources/expected_jars.txt

@@ -84,8 +84,6 @@ log4j-core
 log4j-jcl
 log4j-jul
 log4j-slf4j-impl
-logback-classic
-logback-core
 lucene-analysis-common
 lucene-analysis-phonetic
 lucene-core

geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt

@@ -21,11 +21,11 @@ spring-shell-starter-3.3.3.jar
 spring-web-6.1.14.jar
 commons-lang3-3.18.0.jar
 rmiio-2.1.2.jar
+jackson-datatype-jsr310-2.17.0.jar
 jackson-datatype-joda-2.17.0.jar
 jackson-annotations-2.17.0.jar
-jackson-dataformat-yaml-2.17.0.jar
 jackson-core-2.17.0.jar
-jackson-datatype-jsr310-2.17.0.jar
+jackson-dataformat-yaml-2.17.0.jar
 jackson-databind-2.17.0.jar
 swagger-annotations-2.2.22.jar
 jaxb-runtime-4.0.2.jar
@@ -76,6 +76,7 @@ commons-io-2.19.0.jar
 commons-logging-1.3.5.jar
 classgraph-4.8.147.jar
 micrometer-core-1.14.0.jar
+HdrHistogram-2.2.2.jar
 fastutil-8.5.8.jar
 jakarta.resource-api-2.1.0.jar
 jetty-ee10-annotations-12.0.27.jar
@@ -108,7 +109,6 @@ jetty-xml-12.0.27.jar
 jetty-http-12.0.27.jar
 jetty-io-12.0.27.jar
 spring-boot-starter-logging-3.3.5.jar
-logback-classic-1.5.11.jar
 jul-to-slf4j-2.0.16.jar
 jetty-jndi-12.0.27.jar
 jetty-util-12.0.27.jar
@@ -117,8 +117,8 @@ byte-buddy-1.14.9.jar
 micrometer-observation-1.14.0.jar
 spring-jcl-6.1.14.jar
 micrometer-commons-1.14.0.jar
-HdrHistogram-2.2.2.jar
 LatencyUtils-2.0.3.jar
+snakeyaml-2.2.jar
 reactor-core-3.6.10.jar
 jline-console-3.26.3.jar
 jline-builtins-3.26.3.jar
@@ -127,7 +127,6 @@ jline-style-3.26.3.jar
 jline-terminal-3.26.3.jar
 ST4-4.3.3.jar
 txw2-4.0.2.jar
-snakeyaml-2.2.jar
 asm-commons-9.8.jar
 asm-tree-9.8.jar
 asm-9.8.jar
@@ -140,6 +139,5 @@ jakarta.enterprise.lang-model-4.0.1.jar
 jakarta.validation-api-3.0.2.jar
 jboss-logging-3.4.3.Final.jar
 classmate-1.5.1.jar
-logback-core-1.5.11.jar
 jakarta.el-api-5.0.0.jar
 jakarta.inject-api-2.0.1.jar

geode-common/src/test/resources/expected-pom.xml

@@ -55,6 +55,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -66,6 +70,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -77,6 +85,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
   </dependencies>

geode-concurrency-test/src/test/resources/expected-pom.xml

@@ -55,6 +55,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -66,6 +70,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
   </dependencies>

geode-connectors/src/test/resources/expected-pom.xml

@@ -55,6 +55,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -66,6 +70,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -77,6 +85,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -88,6 +100,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -99,6 +115,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -110,6 +130,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -121,6 +145,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -132,6 +160,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -143,6 +175,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -154,6 +190,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -165,6 +205,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
       <optional>true</optional>
     </dependency>
@@ -177,6 +221,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
         <exclusion>
           <artifactId>cglib</artifactId>
           <groupId>*</groupId>
@@ -212,6 +260,10 @@
           <artifactId>log4j-to-slf4j</artifactId>
           <groupId>org.apache.logging.log4j</groupId>
         </exclusion>
+        <exclusion>
+          <artifactId>*</artifactId>
+          <groupId>ch.qos.logback</groupId>
+        </exclusion>
       </exclusions>
     </dependency>
   </dependencies>