[jira] [Updated] (GEODE-10555) Remediate Logback CVE-2024-12798, CVE-2024-12801, CVE-2025-11226, CVE-2026-1225

Tue, 03 Feb 2026 11:08:10 -0800 


     [ 
https://issues.apache.org/jira/browse/GEODE-10555?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jinwoo Hwang updated GEODE-10555:
---------------------------------
    Affects Version/s: 2.0.0

> Remediate Logback CVE-2024-12798, CVE-2024-12801, CVE-2025-11226, 
> CVE-2026-1225
> -------------------------------------------------------------------------------
>
>                 Key: GEODE-10555
>                 URL: https://issues.apache.org/jira/browse/GEODE-10555
>             Project: Geode
>          Issue Type: Improvement
>    Affects Versions: 2.0.0
>            Reporter: Jinwoo Hwang
>            Priority: Major
>
> h2. Description
> Geode's runtime classpath includes Logback dependencies 
> (logback-classic:1.5.11, logback-core:1.5.11) that contain known security 
> vulnerabilities:
>  * CVE-2024-12798
>  * CVE-2024-12801
>  * CVE-2025-11226
>  * CVE-2026-1225
> h2. Current State
>  * Logback version: 1.5.11 (vulnerable)
>  * Source: Transitive from spring-boot-starter-logging:3.3.5
> h2. Investigation Required
>  * Verify no transitive usage through Spring Boot components
>  * Check if newer Logback versions address all CVEs
>  * Test impact on Spring Boot autoconfiguration
> h2. Acceptance Criteria
>  * All CVE-2024-12798, CVE-2024-12801, CVE-2025-11226, CVE-2026-1225 resolved
>  * All tests pass (unit, integration, distributed, acceptance)
>  * No regression in logging functionality
>  * CVE scanner confirms vulnerabilities remediated
>  * Documentation updated if logging configuration changes
> h2. Files Potentially Affected
>  * build.gradle (root)
>  * geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
>  * geode-assembly/src/integrationTest/resources/expected_jars.txt
>  * geode-assembly/src/integrationTest/resources/assembly_content.txt
>  * geode-server-all/src/integrationTest/resources/dependency_classpath.txt
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to