log4j upgrade to 2.25.3 for CVE-2025-68161

jhua-vmware · jhua-vmware · commit 0cd40c0ac737 · 2026-03-05T09:53:08.000-08:00
diff --git a/g11n-ws/build.gradle b/g11n-ws/build.gradle
@@ -67,7 +67,7 @@ subprojects{
     	snakeyam="2.0"
     	jjwtVersion="0.9.1"
     	hibernateJpa21Api = "1.0.2.Final"
-    	log4j2Version="2.18.0"
+    	log4j2Version="2.25.3"
     	slf4jVersion="1.7.32"
     	esapiVersion="2.6.2.0"
 
@@ -87,4 +87,20 @@ subprojects{
    tasks.withType(JavaCompile) {
        options.encoding = "UTF-8"
     }
+
+    // CVE-2025-68161: force log4j2 >= 2.25.3 via Spring dependency-management plugin BOM override
+    plugins.withId('io.spring.dependency-management') {
+        dependencyManagement {
+            dependencies {
+                dependencySet(group: 'org.apache.logging.log4j', version: "$log4j2Version") {
+                    entry 'log4j-api'
+                    entry 'log4j-core'
+                    entry 'log4j-slf4j2-impl'
+                    entry 'log4j-jul'
+                    entry 'log4j-web'
+                    entry 'log4j-layout-template-json'
+                }
+            }
+        }
+    }
 }
