Skip to content

[Snyk] Upgrade org.apache.logging.log4j:log4j-api from 2.13.3 to 2.25.1 #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade org.apache.logging.log4j:log4j-api from 2.13.3 to 2.25.1 #1

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.13.3</version>
<version>2.25.1</version>
Copy link

@amazon-q-developer amazon-q-developer bot Sep 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security Enhancement: This Log4j upgrade is critical for security. Version 2.13.3 contains multiple severe vulnerabilities including Log4Shell (CVE-2021-44228), Log4j2 JNDI features (CVE-2021-45046), and other RCE vulnerabilities123. The upgrade to 2.25.1 addresses these security issues and brings the dependency up to date with 22 versions of improvements and security patches.

Footnotes

  1. CVE-2021-44228 (Log4Shell): Remote Code Execution - https://cwe.mitre.org/data/definitions/502.html

  2. CVE-2021-45046: Information Disclosure and RCE - https://cwe.mitre.org/data/definitions/20.html

  3. CVE-2021-45105: Denial of Service - https://cwe.mitre.org/data/definitions/400.html

Copy link

@amazon-q-developer amazon-q-developer bot Sep 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Incomplete Security Upgrade: While this PR updates log4j-api to 2.25.1, the log4j-core dependency (line 65 in the full file) remains at the vulnerable version 2.13.31. Both Log4j dependencies must be updated together to ensure security and compatibility. Consider updating log4j-core to 2.25.1 as well to complete the security remediation.

Footnotes

  1. CVE-2021-44228 (Log4Shell): Remote Code Execution - https://cwe.mitre.org/data/definitions/502.html

Copy link

@amazon-q-developer amazon-q-developer bot Sep 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Outdated Dependencies: Several other dependencies in this project are significantly outdated and may contain security vulnerabilities. The JUnit version 4.13.1 (line 60) should be updated to 4.13.2 or later to address CVE-2020-152501. The JSON library version 20200518 (line 43) is also quite old and should be updated to a more recent version for security and bug fixes.

Footnotes

  1. CVE-2020-15250: Temporary file information disclosure - https://cwe.mitre.org/data/definitions/200.html

Copy link

@amazon-q-developer amazon-q-developer bot Sep 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Outdated Spring Boot Version: The Spring Boot parent version 2.0.5.RELEASE (line 13) is extremely outdated and contains numerous security vulnerabilities1. This version was released in 2018 and is no longer supported. Consider upgrading to a supported Spring Boot 2.7.x or 3.x version, though this will require more extensive testing due to potential breaking changes.

Footnotes

  1. Multiple CVEs affect Spring Boot 2.0.x including CVE-2021-22118, CVE-2021-22119 - https://cwe.mitre.org/data/definitions/20.html

</dependency>
<!-- https://mvnrepository.com/artifact/junit/junit -->
<dependency>
Expand Down