Jinwoo Hwang created GEODE-10555:
------------------------------------
Summary: Remediate Logback CVE-2024-12798, CVE-2024-12801,
CVE-2025-11226, CVE-2026-1225
Key: GEODE-10555
URL: https://issues.apache.org/jira/browse/GEODE-10555
Project: Geode
Issue Type: Improvement
Reporter: Jinwoo Hwang
h2. Description
Geode's runtime classpath includes Logback dependencies
(logback-classic:1.5.11, logback-core:1.5.11) that contain known security
vulnerabilities:
* CVE-2024-12798
* CVE-2024-12801
* CVE-2025-11226
* CVE-2026-1225
h2. Current State
* Logback version: 1.5.11 (vulnerable)
* Source: Transitive from spring-boot-starter-logging:3.3.5
h2. Investigation Required
* Verify no transitive usage through Spring Boot components
* Check if newer Logback versions address all CVEs
* Test impact on Spring Boot autoconfiguration
h2. Acceptance Criteria
* All CVE-2024-12798, CVE-2024-12801, CVE-2025-11226, CVE-2026-1225 resolved
* All tests pass (unit, integration, distributed, acceptance)
* No regression in logging functionality
* CVE scanner confirms vulnerabilities remediated
* Documentation updated if logging configuration changes
h2. Files Potentially Affected
* build.gradle (root)
* geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
* geode-assembly/src/integrationTest/resources/expected_jars.txt
* geode-assembly/src/integrationTest/resources/assembly_content.txt
* geode-server-all/src/integrationTest/resources/dependency_classpath.txt
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
