[Snyk] Upgrade org.apache.logging.log4j:log4j-core from 2.13.3 to 2.25.1

[venuvasu]

Snyk has created this PR to upgrade org.apache.logging.log4j:log4j-core from 2.13.3 to 2.25.1.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 22 versions ahead of your current version.

• The recommended version was released 2 months ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Remote Code Execution (RCE) SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720	800	Mature
	Remote Code Execution (RCE) SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2320014	800	Mature
	Denial of Service (DoS) SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524	800	Proof of Concept
	Arbitrary Code Execution SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339	800	Proof of Concept

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[amazon-q-developer]

⏳ Code review in progress. Analyzing for code quality issues and best practices. Detailed findings will be posted upon completion.

Using Amazon Q Developer for GitHub

Amazon Q Developer¹ is an AI-powered assistant that integrates directly into your GitHub workflow, enhancing your development process with intelligent features for code development, review, and transformation.

Slash Commands

Command	Description
/q <message>	Chat with the agent to ask questions or request revisions
/q review	Requests an Amazon Q powered code review
/q help	Displays usage information

Features

Agentic Chat
Enables interactive conversation with Amazon Q to ask questions about the pull request or request specific revisions. Use /q <message> in comment threads or the review body to engage with the agent directly.

Code Review
Analyzes pull requests for code quality, potential issues, and security concerns. Provides feedback and suggested fixes. Automatically triggered on new or reopened PRs (can be disabled for AWS registered installations), or manually with /q review slash command in a comment.

Customization

You can create project-specific rules for Amazon Q Developer to follow:

1. Create a .amazonq/rules folder in your project root.
2. Add Markdown files in this folder to define rules (e.g., cdk-rules.md).
3. Write detailed prompts in these files, such as coding standards or best practices.
4. Amazon Q Developer will automatically use these rules when generating code or providing assistance.

Example rule:

All Amazon S3 buckets must have encryption enabled, enforce SSL, and block public access.
All Amazon DynamoDB Streams tables must have encryption enabled.
All Amazon SNS topics must have encryption enabled and enforce SSL.
All Amazon SNS queues must enforce SSL.

Feedback

To provide feedback on Amazon Q Developer, create an issue in the Amazon Q Developer public repository.

For more detailed information, visit the Amazon Q for GitHub documentation.

Footnotes

1. Amazon Q Developer uses generative AI. You may need to verify generated code before using it in your environment. See the AWS Responsible AI Policy. ↩

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[amazon-q-developer]

Security Upgrade Review Summary

This PR addresses critical Log4j security vulnerabilities by upgrading from 2.13.3 to 2.25.1, which is essential for security. The upgrade resolves multiple severe vulnerabilities including Remote Code Execution and Denial of Service attacks.

Critical Issue to Address:

• Version Mismatch: The log4j-api dependency remains at 2.13.3 while log4j-core is upgraded to 2.25.1. This inconsistency could cause runtime issues and may not fully resolve security vulnerabilities.

Recommendations:

1. Immediate: Upgrade log4j-api to 2.25.1 to match log4j-core
2. Follow-up: Consider updating other outdated dependencies (JUnit, Mockito, JSON library)
3. Process: Implement regular dependency security scanning to catch vulnerabilities early

Approval Status: Approve after fixing the log4j-api version mismatch. The security benefits of this upgrade significantly outweigh the minimal risk of the dependency update.

[amazon-q-developer]

✅ Security Upgrade: This Log4j version upgrade is critical and addresses multiple severe security vulnerabilities¹²³⁴. The upgrade from 2.13.3 to 2.25.1 resolves two critical Remote Code Execution vulnerabilities, one high-severity Denial of Service vulnerability, and one medium-severity Arbitrary Code Execution vulnerability. This change should be prioritized for immediate deployment.

Footnotes

1. CWE-94: Code Injection - https://cwe.mitre.org/data/definitions/94.html ↩

2. CWE-502: Deserialization of Untrusted Data - https://cwe.mitre.org/data/definitions/502.html ↩

3. CWE-400: Uncontrolled Resource Consumption - https://cwe.mitre.org/data/definitions/400.html ↩

4. CWE-20: Improper Input Validation - https://cwe.mitre.org/data/definitions/20.html ↩

[amazon-q-developer]

⚠️ Incomplete Upgrade: While this PR upgrades log4j-core to 2.25.1, the log4j-api dependency (line 53) remains at version 2.13.3. This version mismatch can cause runtime compatibility issues and may not fully resolve all security vulnerabilities. Consider upgrading log4j-api to 2.25.1 as well to ensure consistent behavior and complete security coverage.

[amazon-q-developer]

ℹ️ Additional Security Considerations: While reviewing the dependencies, I noticed several other components that may benefit from security updates: JUnit 4.13.1 (consider upgrading to 4.13.2 or JUnit 5), Mockito 1.10.19 (very outdated), and the JSON library 20200518. Consider running a comprehensive dependency security scan to identify other potential vulnerabilities.