Skip to content

[Snyk] Upgrade org.apache.logging.log4j:log4j-api from 2.13.3 to 2.25.1 #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade org.apache.logging.log4j:log4j-api from 2.13.3 to 2.25.1 #1

wants to merge 1 commit into from

Conversation

@venuvasu
Copy link
Owner

@venuvasu venuvasu commented Sep 16, 2025

snyk-top-banner

Snyk has created this PR to upgrade org.apache.logging.log4j:log4j-api from 2.13.3 to 2.25.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 22 versions ahead of your current version.

  • The recommended version was released 2 months ago.

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
fix: upgrade org.apache.logging.log4j:log4j-api from 2.13.3 to 2.25.1
2b43f7b 
Snyk has created this PR to upgrade org.apache.logging.log4j:log4j-api from 2.13.3 to 2.25.1.

See this package in maven:
org.apache.logging.log4j:log4j-api

See this project in Snyk:
https://app.snyk.io/org/venuvasu/project/ab3272c3-714e-4cea-9d67-8c06a10ba3cd?utm_source=github&utm_medium=referral&page=upgrade-pr
@amazon-q-developer
Copy link

amazon-q-developer bot commented Sep 16, 2025

Code review in progress. Analyzing for code quality issues and best practices. Detailed findings will be posted upon completion.

Using Amazon Q Developer for GitHub

Amazon Q Developer1 is an AI-powered assistant that integrates directly into your GitHub workflow, enhancing your development process with intelligent features for code development, review, and transformation.

Slash Commands

Command Description
/q <message> Chat with the agent to ask questions or request revisions
/q review Requests an Amazon Q powered code review
/q help Displays usage information

Features

Agentic Chat
Enables interactive conversation with Amazon Q to ask questions about the pull request or request specific revisions. Use /q <message> in comment threads or the review body to engage with the agent directly.

Code Review
Analyzes pull requests for code quality, potential issues, and security concerns. Provides feedback and suggested fixes. Automatically triggered on new or reopened PRs (can be disabled for AWS registered installations), or manually with /q review slash command in a comment.

Customization

You can create project-specific rules for Amazon Q Developer to follow:

  1. Create a .amazonq/rules folder in your project root.
  2. Add Markdown files in this folder to define rules (e.g., cdk-rules.md).
  3. Write detailed prompts in these files, such as coding standards or best practices.
  4. Amazon Q Developer will automatically use these rules when generating code or providing assistance.

Example rule:

All Amazon S3 buckets must have encryption enabled, enforce SSL, and block public access.
All Amazon DynamoDB Streams tables must have encryption enabled.
All Amazon SNS topics must have encryption enabled and enforce SSL.
All Amazon SNS queues must enforce SSL.

Feedback

To provide feedback on Amazon Q Developer, create an issue in the Amazon Q Developer public repository.

For more detailed information, visit the Amazon Q for GitHub documentation.

Footnotes

  1. Amazon Q Developer uses generative AI. You may need to verify generated code before using it in your environment. See the AWS Responsible AI Policy.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Sep 16, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

amazon-q-developer[bot]
amazon-q-developer bot reviewed Sep 16, 2025
View reviewed changes
Copy link

@amazon-q-developer amazon-q-developer bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Upgrade Review Summary

This PR addresses a critical security vulnerability by upgrading Log4j API from 2.13.3 to 2.25.1, which resolves the infamous Log4Shell vulnerability (CVE-2021-44228) and other serious security issues. This upgrade should be merged as a high priority.

Critical Issues to Address:

  1. Incomplete Log4j Upgrade: The log4j-core dependency remains at the vulnerable version 2.13.3 and must also be updated to 2.25.1 for complete security remediation.

  2. Additional Security Vulnerabilities: Several other dependencies are outdated and contain known vulnerabilities, including JUnit 4.13.1 and the extremely outdated Spring Boot 2.0.5.RELEASE.

Recommendations:

  • Immediate: Update log4j-core to 2.25.1 to match the log4j-api version
  • Short-term: Update JUnit to 4.13.2+ and the JSON library to a recent version
  • Long-term: Plan a comprehensive dependency upgrade, especially Spring Boot, which requires more extensive testing

The Log4j upgrade is essential for security, but the incomplete nature of the upgrade leaves the application partially vulnerable. Please ensure all Log4j components are updated together.

pom.xml
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.13.3</version>
<version>2.25.1</version>
Copy link

@amazon-q-developer amazon-q-developer bot Sep 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Enhancement: This Log4j upgrade is critical for security. Version 2.13.3 contains multiple severe vulnerabilities including Log4Shell (CVE-2021-44228), Log4j2 JNDI features (CVE-2021-45046), and other RCE vulnerabilities123. The upgrade to 2.25.1 addresses these security issues and brings the dependency up to date with 22 versions of improvements and security patches.

Footnotes

  1. CVE-2021-44228 (Log4Shell): Remote Code Execution - https://cwe.mitre.org/data/definitions/502.html

  2. CVE-2021-45046: Information Disclosure and RCE - https://cwe.mitre.org/data/definitions/20.html

  3. CVE-2021-45105: Denial of Service - https://cwe.mitre.org/data/definitions/400.html

pom.xml
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.13.3</version>
<version>2.25.1</version>
Copy link

@amazon-q-developer amazon-q-developer bot Sep 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Incomplete Security Upgrade: While this PR updates log4j-api to 2.25.1, the log4j-core dependency (line 65 in the full file) remains at the vulnerable version 2.13.31. Both Log4j dependencies must be updated together to ensure security and compatibility. Consider updating log4j-core to 2.25.1 as well to complete the security remediation.

Footnotes

  1. CVE-2021-44228 (Log4Shell): Remote Code Execution - https://cwe.mitre.org/data/definitions/502.html

pom.xml
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.13.3</version>
<version>2.25.1</version>
Copy link

@amazon-q-developer amazon-q-developer bot Sep 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Outdated Dependencies: Several other dependencies in this project are significantly outdated and may contain security vulnerabilities. The JUnit version 4.13.1 (line 60) should be updated to 4.13.2 or later to address CVE-2020-152501. The JSON library version 20200518 (line 43) is also quite old and should be updated to a more recent version for security and bug fixes.

Footnotes

  1. CVE-2020-15250: Temporary file information disclosure - https://cwe.mitre.org/data/definitions/200.html

pom.xml
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.13.3</version>
<version>2.25.1</version>
Copy link

@amazon-q-developer amazon-q-developer bot Sep 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Outdated Spring Boot Version: The Spring Boot parent version 2.0.5.RELEASE (line 13) is extremely outdated and contains numerous security vulnerabilities1. This version was released in 2018 and is no longer supported. Consider upgrading to a supported Spring Boot 2.7.x or 3.x version, though this will require more extensive testing due to potential breaking changes.

Footnotes

  1. Multiple CVEs affect Spring Boot 2.0.x including CVE-2021-22118, CVE-2021-22119 - https://cwe.mitre.org/data/definitions/20.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amazon-q-developer amazon-q-developer[bot] amazon-q-developer[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@venuvasu @snyk-bot