Skip to content

Upgrade Log4j to 2.25.3 #18522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jsvd merged 2 commits into from
Jan 12, 2026
Merged

Upgrade Log4j to 2.25.3 #18522

jsvd merged 2 commits into from
Jan 12, 2026
+41 −23

Conversation

@jsvd
Copy link
Member

@jsvd jsvd commented Dec 19, 2025

  • Use PluginProcessor explicitly to skip GraalVmProcessor
  • Update test dependency from log4j-core:tests to log4j-core-test module
  • Update test imports for relocated packages in Log4j 2.24+:
    • org.apache.logging.log4j.junit -> org.apache.logging.log4j.core.test.junit
    • org.apache.logging.log4j.test.appender -> org.apache.logging.log4j.core.test.appender
  • Add @SuppressWarnings for deprecated Message.getFormat() and EventLogger
  • Fix ObjectMappersTest to not assume fixed serializer ordering

@jsvd
Upgrade Log4j to 2.25.3
78c4e26 
- Use PluginProcessor explicitly to skip GraalVmProcessor
- Update test dependency from log4j-core:tests to log4j-core-test module
- Update test imports for relocated packages in Log4j 2.24+:
  - org.apache.logging.log4j.junit -> org.apache.logging.log4j.core.test.junit
  - org.apache.logging.log4j.test.appender -> org.apache.logging.log4j.core.test.appender
- Add @SuppressWarnings for deprecated Message.getFormat() and EventLogger
- Fix ObjectMappersTest to not assume fixed serializer ordering
@github-actions
Copy link
Contributor

github-actions bot commented Dec 19, 2025

🤖 GitHub comments

Just comment with:

  • run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)
  • /run exhaustive tests : Run the exhaustive tests Buildkite pipeline.

@mergify
Copy link
Contributor

mergify bot commented Dec 19, 2025

This pull request does not have a backport label. Could you fix it @jsvd? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit.
  • If no backport is necessary, please add the backport-skip label

@jsvd
Copy link
Member Author

jsvd commented Dec 19, 2025

/run exhaustive tests

@ca-scribner ca-scribner mentioned this pull request Dec 29, 2025
Merged
ca-scribner added a commit to ca-scribner/advisories that referenced this pull request Dec 29, 2025
@ca-scribner
logstash-[9.2]: Update advisory for CVE-2025-14762
052868d 
To mitigate CVE-2025-14762, log4j must be bumped from 2.17.2 to 2.25.3.  This includes navigating a few small breaking changes in log4j.  Upstream is currently working on a patch to complete this migration [here](elastic/logstash#18522), but the patch is incomplete and has failing tests
ca-scribner added a commit to ca-scribner/advisories that referenced this pull request Dec 29, 2025
@ca-scribner
logstash-[9.2]: Update advisory for CVE-2025-68161
33d7c93 
To mitigate CVE-2025-14762, log4j must be bumped from 2.17.2 to 2.25.3.  This includes navigating a few small breaking changes in log4j.  Upstream is currently working on a patch to complete this migration [here](elastic/logstash#18522), but the patch is incomplete and has failing tests
ca-scribner added a commit to ca-scribner/advisories that referenced this pull request Dec 29, 2025
@ca-scribner
logstash-[9.2]: Update advisory for CVE-2025-68161
24e935a 
To mitigate CVE-2025-14762, log4j must be bumped from 2.17.2 to 2.25.3.  This includes navigating a few small breaking changes in log4j.  Upstream is currently working on a patch to complete this migration [here](elastic/logstash#18522), but the patch is incomplete and has failing tests
ca-scribner added a commit to ca-scribner/advisories that referenced this pull request Dec 29, 2025
@ca-scribner
logstash-[9.2]: Update advisory for CVE-2025-68161
76a6515 
To mitigate CVE-2025-14762, log4j must be bumped from 2.17.2 to 2.25.3.  This includes navigating a few small breaking changes in log4j.  Upstream is currently working on a patch to complete this migration [here](elastic/logstash#18522), but the patch is incomplete and has failing tests
ca-scribner added a commit to ca-scribner/advisories that referenced this pull request Dec 29, 2025
@ca-scribner
logstash-[9.2]: Update advisory for CVE-2025-68161
c23b786 
To mitigate CVE-2025-14762, log4j must be bumped from 2.17.2 to 2.25.3.  This includes navigating a few small breaking changes in log4j.  Upstream is currently working on a patch to complete this migration [here](elastic/logstash#18522), but the patch is incomplete and has failing tests
github-merge-queue bot pushed a commit to wolfi-dev/advisories that referenced this pull request Dec 30, 2025
@ca-scribner
logstash-[9.2]: Update advisory for CVE-2025-68161 (#28187)
6023bad 
To mitigate CVE-2025-14762, log4j must be bumped from 2.17.2 to 2.25.3.  This includes navigating a few small breaking changes in log4j.  Upstream is currently working on a patch to complete this migration [here](elastic/logstash#18522), but the patch is incomplete and has failing tests
@elasticmachine
Copy link

elasticmachine commented Jan 2, 2026

💛 Build succeeded, but was flaky

Failed CI Steps

History

@jsvd jsvd marked this pull request as ready for review January 2, 2026 15:01
robbavey
robbavey approved these changes Jan 2, 2026
View reviewed changes
Copy link
Member

@robbavey robbavey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mashhurs mashhurs mentioned this pull request Jan 8, 2026
Closed
5 tasks
@jsvd jsvd added the backport-9.3 Automated backport to the 9.3 branch label Jan 12, 2026
@jsvd jsvd merged commit 707a4c9 into elastic:main Jan 12, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robbavey robbavey robbavey approved these changes

Assignees

No one assigned

Labels

backport-9.3 Automated backport to the 9.3 branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jsvd @elasticmachine @robbavey