GEODE-10543: Upgrade Log4j from 2.17.2 to 2.25.3 to remediate CVE-202…

[JinwooHwang]

GEODE-10543: Upgrade Log4j from 2.17.2 to 2.25.3

Description

This PR upgrades Apache Log4j from version 2.17.2 to 2.25.3 to remediate security vulnerability CVE-2025-68161.

Changes Made

1. Dependency Version Update

• Updated log4j.version from 2.17.2 to 2.25.3 in DependencyConstraints.groovy
• Added log4j-core-test to dependency management for test utilities

2. Build Configuration

• Added GraalVM annotation processor configuration in geode-log4j/build.gradle
• Log4j 2.25.3 includes GraalVM Reachability Metadata annotation processor that requires Maven coordinates
• Added compiler arguments: -Alog4j.graalvm.groupId and -Alog4j.graalvm.artifactId

3. Integration Test Migration

• Migrated 21 integration tests to use new test utility packages
• Log4j 2.20.0+ restructured test artifacts for JPMS compliance
• Package changes:
  • org.apache.logging.log4j.junit.LoggerContextRule → org.apache.logging.log4j.core.test.junit.LoggerContextRule
  • org.apache.logging.log4j.test.appender.ListAppender → org.apache.logging.log4j.core.test.appender.ListAppender
• Zero test logic changes - only import statements updated

4. Documentation Updates

• Updated version references in 3 documentation files:
  • geode-docs/managing/logging/configuring_log4j2.html.md.erb
  • geode-docs/managing/logging/how_logging_works.html.md.erb
  • geode-docs/tools_modules/http_session_mgmt/weblogic_setting_up_the_module.html.md.erb

5. Test Resources

• Updated expected JAR names in 4 test resource files to reflect new version
• Updated geode-all-bom/expected-pom.xml with 5 log4j dependency versions

Files Changed

• 31 files changed: 80 insertions(+), 61 deletions(-)

Testing

• ✓ Build successful with all validations
• ✓ Unit tests pass
• ✓ Integration tests compile successfully
• ✓ Full build: 718 tasks executed in 25s

Security Impact

• Remediates CVE-2025-68161
• No breaking changes to public APIs
• All existing tests pass with updated dependencies

Related Issues

• JIRA: GEODE-10543
• Apache Log4j JIRA: LOG4J2-3650 (test artifact restructuring)

For all changes, please confirm:

• Is there a JIRA ticket associated with this PR? Is it referenced in the commit message?
• Has your PR been rebased against the latest commit within the target branch (typically develop)?
• Is your initial contribution a single, squashed commit?
• Does gradlew build run cleanly?
• Have you written or updated unit tests to verify your changes?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?

[sboorlagadda]

LGTM. @JinwooHwang can we verify that there are no other modules use log4j-core::tests or log4j-core::test-sources

[JinwooHwang]

@sboorlagadda, Thanks for the review! Verified!
I've confirmed that no other modules use log4j-core::tests or log4j-core::test-sources. Here's the evidence:

1. grep -rn "::test" --include="*.gradle" .
2. grep -rn "log4j-core-test" --include="*.gradle" .

./geode-log4j/build.gradle:84: // Log4j 2.20.0+ moved test utilities to log4j-core-test with new package names:
./geode-log4j/build.gradle:87: // log4j-core-test 2.25.3 transitively depends on assertj-core 3.27.3, but Geode's
./geode-log4j/build.gradle:90: integrationTestImplementation('org.apache.logging.log4j:log4j-core-test') {

All checks have passed. We're ready to merge!

[sboorlagadda]

Glad! good to go

[JinwooHwang]

Thank you so much for your support @sboorlagadda .