[Snyk] Security upgrade org.apache.logging.log4j:log4j-core from 2.20.0 to 2.25.3

[snyk-io]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Improper Validation of Certificate with Host Mismatch SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782	113	org.apache.logging.log4j:log4j-core: 2.20.0 -> 2.25.3 No Path Found No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[snyk-io]

This upgrade spans multiple minor versions and introduces several breaking changes, including the removal of modules and changes to log output formats.

Highlights:

• Module Removals: As of version 2.22.0, the log4j-flume-ng, log4j-kubernetes, and log4j-mongodb3 modules have been removed. Projects using these will need to find alternatives or manage them separately. [1]
• Layout Format Change: As of version 2.23.0, the XML, JSON, and YAML layouts no longer include the timeMillis attribute. It has been replaced by an Instant object with epochSecond and nanoOfSecond attributes, which will break downstream parsing. [1]

Source: Apache Log4j release notes
Recommendation: Review usage of removed modules and check any systems that parse JSON/XML/YAML log output before merging this upgrade.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[snyk-io]

This upgrade spans multiple minor versions and introduces several breaking changes related to module removals, configuration properties, and default behaviors. While many applications will be unaffected, projects using specific modules, advanced configurations, or OSGi may require modifications.

Highlights:

• Module Removals (v2.24.0): The log4j-flume-ng, log4j-kubernetes, and log4j-mongodb3 modules have been removed. Users must migrate to alternatives, such as log4j-mongodb4 for MongoDB support.
• Configuration Changes (v2.24.0): The properties configuration subsystem is now stricter and only accepts official property names, which may break configurations with typos. Additionally, JMX is now disabled by default.
• Pattern Layout Changes (v2.25.0): Exception handling in PatternLayout was rewritten. The default exception converter has changed, and support for the {ansi} option in exception converters has been removed.

Source: Apache Log4j Release Notes
Recommendation: Review your configuration for removed modules and non-standard properties. Validate exception log formatting before merging.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

This upgrade to Log4j Core introduces several breaking changes across intermediate versions, primarily in version 2.24.0. Key changes include the removal of specific modules, JMX being disabled by default, and altered behavior for logging bridges. These changes may require dependency and configuration adjustments.

Highlights:

• Module Removals: The log4j-flume-ng, log4j-kubernetes, and log4j-mongodb3 modules are no longer included. [1, 2] If you use these, you must add their new, separate dependencies.
• JMX Disabled by Default: JMX support is now disabled by default and must be explicitly re-enabled by setting the system property log4j2.disableJmx to false. [1]

Source: Apache Log4j release notes
Recommendation: Review your project for usage of the removed modules and any reliance on JMX monitoring or logging bridges. Update dependencies and configurations as needed before merging.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

This upgrade introduces breaking changes related to module removals and stricter configuration parsing. While the core logging API remains compatible, projects using specific removed modules or relying on lenient configuration parsing will require modifications.

Highlights:

• Module Removals: As of version 2.25.0, the log4j-mongodb3, log4j-kubernetes, and log4j-flume-ng modules are no longer included in the main distribution. Projects using the MongoDB v3 appender must migrate to log4j-mongodb4 or the latest log4j-mongodb artifact.
• Stricter Configuration: Since 2.25.0, Log4j has become stricter in parsing properties configuration files. Malformed files that were previously tolerated may now cause application startup failures.

Source: Apache Log4j Release Notes
Recommendation: Verify that your project does not depend on the removed modules and ensure your Log4j properties files are well-formed before upgrading.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

This upgrade spans multiple minor versions and introduces several breaking changes, including the removal of modules, changes to default behaviors, and stricter configuration validation. The risk is high due to the potential for runtime failures and altered log output if configurations are not updated.

Highlights:

• Module Removals (v2.24.0): The log4j-flume-ng, log4j-kubernetes, and log4j-mongodb3 modules have been removed from the main release. If you use these, you must add their new, separate dependencies.
• JMX Disabled by Default (v2.24.0): JMX is now disabled by default. To re-enable it for monitoring, you must set the system property log4j2.disableJmx to false.

Source: Apache Log4j Release Notes
Recommendation: Carefully review the release notes for versions 2.21 through 2.25. Update dependencies for any removed modules and adjust system properties for JMX before merging.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

This upgrade introduces several specific breaking changes, including the removal of modules, stricter configuration property validation, and changes to pattern layout behavior. While core API compatibility is maintained, projects using the affected modules or advanced configurations will require modifications.

Highlights:

• Module Removals: The log4j-flume-ng, log4j-kubernetes, and log4j-mongodb3 modules have been removed from the release and must be managed separately. [6]
• Configuration: As of version 2.24.0, the configuration properties subsystem is stricter and no longer accepts unofficial or misspelled property names. [1, 6]
• Pattern Layout: In version 2.25.0, the default exception converter changed from extended to plain, and the {ansi} option in exception converters was removed. [8, 9]

Source: Apache Log4j release notes
Recommendation: Review your logging configuration for removed modules and non-standard property names. Verify that exception logging output remains acceptable after the change in the default converter.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

This upgrade to Log4j 2.25.3 introduces several breaking changes, most notably in version 2.24.0. The ability for Log4j 1.x bridge APIs to configure Log4j has been disabled by default, and several modules have been removed from the main distribution.

Highlights:

• Log4j 1.x Bridge: Programmatic configuration via the Log4j 1.x API (e.g., PropertyConfigurator.configure) is now disabled by default. If you rely on this, you must set the log4j1.compatibility=true system property.
• Removed Modules: The log4j-mongodb3, log4j-kubernetes, and log4j-flume-ng modules have been removed. Users of log4j-mongodb3 must migrate to log4j-mongodb4 or the newer log4j-mongodb artifact.

Source: Apache Log4j Release Notes
Recommendation: Review your project for usage of the Log4j 1.x bridge for configuration and for dependencies on the removed modules. Update build configurations and system properties as needed before merging.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.