Skip to content

GEODE-10555: Remediate CVE-2024-12798 CVE-2024-12801 CVE-2025-11226 CVE-2026-1225 #7982

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JinwooHwang wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

GEODE-10555: Remediate CVE-2024-12798 CVE-2024-12801 CVE-2025-11226 CVE-2026-1225 #7982

JinwooHwang wants to merge 3 commits into from

Conversation

@JinwooHwang
Copy link
Contributor

@JinwooHwang JinwooHwang commented Feb 3, 2026

Problem

Logback is pulled in as a transitive dependency from spring-boot-starter-logging:3.3.5, exposing the project to multiple CVEs:

Logback is not used anywhere in the codebase - all logging is routed through Log4j 2 via log4j-slf4j-impl.

Solution

Added global exclusion of ch.qos.logback group in build.gradle configurations to prevent transitive inclusion. Updated all expected POM files to reflect the dependency changes.

Testing

  • All unit tests passing (235 tasks)
  • Build validation
  • Verified logback completely removed from runtime classpath
  • Confirmed no logback imports in codebase

Changes

  • Modified build.gradle: Added global logback exclusion with documentation
  • Updated 26 expected-pom.xml files across modules to reflect dependency changes

For all changes, please confirm:

  • Is there a JIRA ticket associated with this PR? Is it referenced in the commit message?
  • Has your PR been rebased against the latest commit within the target branch (typically develop)?
  • Is your initial contribution a single, squashed commit?
  • Does gradlew build run cleanly?
  • Have you written or updated unit tests to verify your changes?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?

@JinwooHwang
GEODE-10555: Remediate CVEs
3efa1ee 
- Add global exclusion of ch.qos.logback to prevent transitive inclusion
- Remediate CVE-2024-12798, CVE-2024-12801, CVE-2025-11226, CVE-2026-1225
- Update expected POM files to reflect dependency changes
- All logging routed through Log4j 2 via log4j-slf4j-impl
@JinwooHwang
Update geode-server-all expected dependency classpath
0f4acd2 
Remove logback-classic and logback-core from expected dependencies
@JinwooHwang
Update assembly integration test expected files
0aa9919 
- Remove logback-classic and logback-core from assembly_content.txt
- Remove logback from expected_jars.txt (bundled jars)
- Remove logback from gfsh_dependency_classpath.txt
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marinov-code marinov-code Awaiting requested review from marinov-code

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JinwooHwang