Skip to content

Commit 2b83c0a

Browse files
authored
* GEODE-10555: Remediate CVEs - Add global exclusion of ch.qos.logback to prevent transitive inclusion - Remediate CVE-2024-12798, CVE-2024-12801, CVE-2025-11226, CVE-2026-1225 - Update expected POM files to reflect dependency changes - All logging routed through Log4j 2 via log4j-slf4j-impl * Update geode-server-all expected dependency classpath Remove logback-classic and logback-core from expected dependencies * Update assembly integration test expected files - Remove logback-classic and logback-core from assembly_content.txt - Remove logback from expected_jars.txt (bundled jars) - Remove logback from gfsh_dependency_classpath.txt
1 parent 4e93d2c commit 2b83c0a

31 files changed

Lines changed: 939 additions & 317 deletions

File tree

build.gradle

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,8 +80,11 @@ allprojects {
8080
// Exclude 'log4j-to-slf4j' globally. Geode's logging architecture requires Log4j Core to be the primary logging implementation,
8181
// with SLF4J calls being routed TO Log4j (via log4j-slf4j-impl), not the other way around.
8282
//
83+
// Logback is unused (transitive from spring-boot-starter-logging). Geode uses Log4j 2 for all logging.
84+
//
8385
configurations.all {
8486
exclude group: 'org.apache.logging.log4j', module: 'log4j-to-slf4j'
87+
exclude group: 'ch.qos.logback'
8588
}
8689

8790
buildRoot = buildRoot.trim()

extensions/geode-modules-tomcat10/src/test/resources/expected-pom.xml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,10 @@
5555
<artifactId>log4j-to-slf4j</artifactId>
5656
<groupId>org.apache.logging.log4j</groupId>
5757
</exclusion>
58+
<exclusion>
59+
<artifactId>*</artifactId>
60+
<groupId>ch.qos.logback</groupId>
61+
</exclusion>
5862
</exclusions>
5963
</dependency>
6064
<dependency>
@@ -66,6 +70,10 @@
6670
<artifactId>log4j-to-slf4j</artifactId>
6771
<groupId>org.apache.logging.log4j</groupId>
6872
</exclusion>
73+
<exclusion>
74+
<artifactId>*</artifactId>
75+
<groupId>ch.qos.logback</groupId>
76+
</exclusion>
6977
</exclusions>
7078
</dependency>
7179
</dependencies>

extensions/geode-modules/src/test/resources/expected-pom.xml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,10 @@
5555
<artifactId>log4j-to-slf4j</artifactId>
5656
<groupId>org.apache.logging.log4j</groupId>
5757
</exclusion>
58+
<exclusion>
59+
<artifactId>*</artifactId>
60+
<groupId>ch.qos.logback</groupId>
61+
</exclusion>
5862
</exclusions>
5963
</dependency>
6064
<dependency>
@@ -66,6 +70,10 @@
6670
<artifactId>log4j-to-slf4j</artifactId>
6771
<groupId>org.apache.logging.log4j</groupId>
6872
</exclusion>
73+
<exclusion>
74+
<artifactId>*</artifactId>
75+
<groupId>ch.qos.logback</groupId>
76+
</exclusion>
6977
</exclusions>
7078
</dependency>
7179
<dependency>
@@ -77,6 +85,10 @@
7785
<artifactId>log4j-to-slf4j</artifactId>
7886
<groupId>org.apache.logging.log4j</groupId>
7987
</exclusion>
88+
<exclusion>
89+
<artifactId>*</artifactId>
90+
<groupId>ch.qos.logback</groupId>
91+
</exclusion>
8092
</exclusions>
8193
</dependency>
8294
<dependency>
@@ -88,6 +100,10 @@
88100
<artifactId>log4j-to-slf4j</artifactId>
89101
<groupId>org.apache.logging.log4j</groupId>
90102
</exclusion>
103+
<exclusion>
104+
<artifactId>*</artifactId>
105+
<groupId>ch.qos.logback</groupId>
106+
</exclusion>
91107
</exclusions>
92108
</dependency>
93109
<dependency>
@@ -99,6 +115,10 @@
99115
<artifactId>log4j-to-slf4j</artifactId>
100116
<groupId>org.apache.logging.log4j</groupId>
101117
</exclusion>
118+
<exclusion>
119+
<artifactId>*</artifactId>
120+
<groupId>ch.qos.logback</groupId>
121+
</exclusion>
102122
</exclusions>
103123
</dependency>
104124
<dependency>
@@ -110,6 +130,10 @@
110130
<artifactId>log4j-to-slf4j</artifactId>
111131
<groupId>org.apache.logging.log4j</groupId>
112132
</exclusion>
133+
<exclusion>
134+
<artifactId>*</artifactId>
135+
<groupId>ch.qos.logback</groupId>
136+
</exclusion>
113137
</exclusions>
114138
</dependency>
115139
<dependency>
@@ -121,6 +145,10 @@
121145
<artifactId>log4j-to-slf4j</artifactId>
122146
<groupId>org.apache.logging.log4j</groupId>
123147
</exclusion>
148+
<exclusion>
149+
<artifactId>*</artifactId>
150+
<groupId>ch.qos.logback</groupId>
151+
</exclusion>
124152
</exclusions>
125153
</dependency>
126154
</dependencies>

geode-assembly/src/integrationTest/resources/assembly_content.txt

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1017,8 +1017,6 @@ lib/log4j-core-2.25.3.jar
10171017
lib/log4j-jcl-2.25.3.jar
10181018
lib/log4j-jul-2.25.3.jar
10191019
lib/log4j-slf4j-impl-2.25.3.jar
1020-
lib/logback-classic-1.5.11.jar
1021-
lib/logback-core-1.5.11.jar
10221020
lib/lucene-analysis-common-9.12.3.jar
10231021
lib/lucene-analysis-phonetic-9.12.3.jar
10241022
lib/lucene-core-9.12.3.jar

geode-assembly/src/integrationTest/resources/expected_jars.txt

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -84,8 +84,6 @@ log4j-core
8484
log4j-jcl
8585
log4j-jul
8686
log4j-slf4j-impl
87-
logback-classic
88-
logback-core
8987
lucene-analysis-common
9088
lucene-analysis-phonetic
9189
lucene-core

geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -21,11 +21,11 @@ spring-shell-starter-3.3.3.jar
2121
spring-web-6.1.14.jar
2222
commons-lang3-3.18.0.jar
2323
rmiio-2.1.2.jar
24+
jackson-datatype-jsr310-2.17.0.jar
2425
jackson-datatype-joda-2.17.0.jar
2526
jackson-annotations-2.17.0.jar
26-
jackson-dataformat-yaml-2.17.0.jar
2727
jackson-core-2.17.0.jar
28-
jackson-datatype-jsr310-2.17.0.jar
28+
jackson-dataformat-yaml-2.17.0.jar
2929
jackson-databind-2.17.0.jar
3030
swagger-annotations-2.2.22.jar
3131
jaxb-runtime-4.0.2.jar
@@ -76,6 +76,7 @@ commons-io-2.19.0.jar
7676
commons-logging-1.3.5.jar
7777
classgraph-4.8.147.jar
7878
micrometer-core-1.14.0.jar
79+
HdrHistogram-2.2.2.jar
7980
fastutil-8.5.8.jar
8081
jakarta.resource-api-2.1.0.jar
8182
jetty-ee10-annotations-12.0.27.jar
@@ -108,7 +109,6 @@ jetty-xml-12.0.27.jar
108109
jetty-http-12.0.27.jar
109110
jetty-io-12.0.27.jar
110111
spring-boot-starter-logging-3.3.5.jar
111-
logback-classic-1.5.11.jar
112112
jul-to-slf4j-2.0.16.jar
113113
jetty-jndi-12.0.27.jar
114114
jetty-util-12.0.27.jar
@@ -117,8 +117,8 @@ byte-buddy-1.14.9.jar
117117
micrometer-observation-1.14.0.jar
118118
spring-jcl-6.1.14.jar
119119
micrometer-commons-1.14.0.jar
120-
HdrHistogram-2.2.2.jar
121120
LatencyUtils-2.0.3.jar
121+
snakeyaml-2.2.jar
122122
reactor-core-3.6.10.jar
123123
jline-console-3.26.3.jar
124124
jline-builtins-3.26.3.jar
@@ -127,7 +127,6 @@ jline-style-3.26.3.jar
127127
jline-terminal-3.26.3.jar
128128
ST4-4.3.3.jar
129129
txw2-4.0.2.jar
130-
snakeyaml-2.2.jar
131130
asm-commons-9.8.jar
132131
asm-tree-9.8.jar
133132
asm-9.8.jar
@@ -140,6 +139,5 @@ jakarta.enterprise.lang-model-4.0.1.jar
140139
jakarta.validation-api-3.0.2.jar
141140
jboss-logging-3.4.3.Final.jar
142141
classmate-1.5.1.jar
143-
logback-core-1.5.11.jar
144142
jakarta.el-api-5.0.0.jar
145143
jakarta.inject-api-2.0.1.jar

geode-common/src/test/resources/expected-pom.xml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,10 @@
5555
<artifactId>log4j-to-slf4j</artifactId>
5656
<groupId>org.apache.logging.log4j</groupId>
5757
</exclusion>
58+
<exclusion>
59+
<artifactId>*</artifactId>
60+
<groupId>ch.qos.logback</groupId>
61+
</exclusion>
5862
</exclusions>
5963
</dependency>
6064
<dependency>
@@ -66,6 +70,10 @@
6670
<artifactId>log4j-to-slf4j</artifactId>
6771
<groupId>org.apache.logging.log4j</groupId>
6872
</exclusion>
73+
<exclusion>
74+
<artifactId>*</artifactId>
75+
<groupId>ch.qos.logback</groupId>
76+
</exclusion>
6977
</exclusions>
7078
</dependency>
7179
<dependency>
@@ -77,6 +85,10 @@
7785
<artifactId>log4j-to-slf4j</artifactId>
7886
<groupId>org.apache.logging.log4j</groupId>
7987
</exclusion>
88+
<exclusion>
89+
<artifactId>*</artifactId>
90+
<groupId>ch.qos.logback</groupId>
91+
</exclusion>
8092
</exclusions>
8193
</dependency>
8294
</dependencies>

geode-concurrency-test/src/test/resources/expected-pom.xml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,10 @@
5555
<artifactId>log4j-to-slf4j</artifactId>
5656
<groupId>org.apache.logging.log4j</groupId>
5757
</exclusion>
58+
<exclusion>
59+
<artifactId>*</artifactId>
60+
<groupId>ch.qos.logback</groupId>
61+
</exclusion>
5862
</exclusions>
5963
</dependency>
6064
<dependency>
@@ -66,6 +70,10 @@
6670
<artifactId>log4j-to-slf4j</artifactId>
6771
<groupId>org.apache.logging.log4j</groupId>
6872
</exclusion>
73+
<exclusion>
74+
<artifactId>*</artifactId>
75+
<groupId>ch.qos.logback</groupId>
76+
</exclusion>
6977
</exclusions>
7078
</dependency>
7179
</dependencies>

geode-connectors/src/test/resources/expected-pom.xml

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,10 @@
5555
<artifactId>log4j-to-slf4j</artifactId>
5656
<groupId>org.apache.logging.log4j</groupId>
5757
</exclusion>
58+
<exclusion>
59+
<artifactId>*</artifactId>
60+
<groupId>ch.qos.logback</groupId>
61+
</exclusion>
5862
</exclusions>
5963
</dependency>
6064
<dependency>
@@ -66,6 +70,10 @@
6670
<artifactId>log4j-to-slf4j</artifactId>
6771
<groupId>org.apache.logging.log4j</groupId>
6872
</exclusion>
73+
<exclusion>
74+
<artifactId>*</artifactId>
75+
<groupId>ch.qos.logback</groupId>
76+
</exclusion>
6977
</exclusions>
7078
</dependency>
7179
<dependency>
@@ -77,6 +85,10 @@
7785
<artifactId>log4j-to-slf4j</artifactId>
7886
<groupId>org.apache.logging.log4j</groupId>
7987
</exclusion>
88+
<exclusion>
89+
<artifactId>*</artifactId>
90+
<groupId>ch.qos.logback</groupId>
91+
</exclusion>
8092
</exclusions>
8193
</dependency>
8294
<dependency>
@@ -88,6 +100,10 @@
88100
<artifactId>log4j-to-slf4j</artifactId>
89101
<groupId>org.apache.logging.log4j</groupId>
90102
</exclusion>
103+
<exclusion>
104+
<artifactId>*</artifactId>
105+
<groupId>ch.qos.logback</groupId>
106+
</exclusion>
91107
</exclusions>
92108
</dependency>
93109
<dependency>
@@ -99,6 +115,10 @@
99115
<artifactId>log4j-to-slf4j</artifactId>
100116
<groupId>org.apache.logging.log4j</groupId>
101117
</exclusion>
118+
<exclusion>
119+
<artifactId>*</artifactId>
120+
<groupId>ch.qos.logback</groupId>
121+
</exclusion>
102122
</exclusions>
103123
</dependency>
104124
<dependency>
@@ -110,6 +130,10 @@
110130
<artifactId>log4j-to-slf4j</artifactId>
111131
<groupId>org.apache.logging.log4j</groupId>
112132
</exclusion>
133+
<exclusion>
134+
<artifactId>*</artifactId>
135+
<groupId>ch.qos.logback</groupId>
136+
</exclusion>
113137
</exclusions>
114138
</dependency>
115139
<dependency>
@@ -121,6 +145,10 @@
121145
<artifactId>log4j-to-slf4j</artifactId>
122146
<groupId>org.apache.logging.log4j</groupId>
123147
</exclusion>
148+
<exclusion>
149+
<artifactId>*</artifactId>
150+
<groupId>ch.qos.logback</groupId>
151+
</exclusion>
124152
</exclusions>
125153
</dependency>
126154
<dependency>
@@ -132,6 +160,10 @@
132160
<artifactId>log4j-to-slf4j</artifactId>
133161
<groupId>org.apache.logging.log4j</groupId>
134162
</exclusion>
163+
<exclusion>
164+
<artifactId>*</artifactId>
165+
<groupId>ch.qos.logback</groupId>
166+
</exclusion>
135167
</exclusions>
136168
</dependency>
137169
<dependency>
@@ -143,6 +175,10 @@
143175
<artifactId>log4j-to-slf4j</artifactId>
144176
<groupId>org.apache.logging.log4j</groupId>
145177
</exclusion>
178+
<exclusion>
179+
<artifactId>*</artifactId>
180+
<groupId>ch.qos.logback</groupId>
181+
</exclusion>
146182
</exclusions>
147183
</dependency>
148184
<dependency>
@@ -154,6 +190,10 @@
154190
<artifactId>log4j-to-slf4j</artifactId>
155191
<groupId>org.apache.logging.log4j</groupId>
156192
</exclusion>
193+
<exclusion>
194+
<artifactId>*</artifactId>
195+
<groupId>ch.qos.logback</groupId>
196+
</exclusion>
157197
</exclusions>
158198
</dependency>
159199
<dependency>
@@ -165,6 +205,10 @@
165205
<artifactId>log4j-to-slf4j</artifactId>
166206
<groupId>org.apache.logging.log4j</groupId>
167207
</exclusion>
208+
<exclusion>
209+
<artifactId>*</artifactId>
210+
<groupId>ch.qos.logback</groupId>
211+
</exclusion>
168212
</exclusions>
169213
<optional>true</optional>
170214
</dependency>
@@ -177,6 +221,10 @@
177221
<artifactId>log4j-to-slf4j</artifactId>
178222
<groupId>org.apache.logging.log4j</groupId>
179223
</exclusion>
224+
<exclusion>
225+
<artifactId>*</artifactId>
226+
<groupId>ch.qos.logback</groupId>
227+
</exclusion>
180228
<exclusion>
181229
<artifactId>cglib</artifactId>
182230
<groupId>*</groupId>
@@ -212,6 +260,10 @@
212260
<artifactId>log4j-to-slf4j</artifactId>
213261
<groupId>org.apache.logging.log4j</groupId>
214262
</exclusion>
263+
<exclusion>
264+
<artifactId>*</artifactId>
265+
<groupId>ch.qos.logback</groupId>
266+
</exclusion>
215267
</exclusions>
216268
</dependency>
217269
</dependencies>

0 commit comments

Comments
 (0)