[Snyk] Security upgrade org.apache.logging.log4j:log4j-core from 2.14.1 to 2.17.0

[DK7705]

Snyk has created this PR to fix 1 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• app/api-gateway/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Denial of Service (DoS) SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2321524	696	org.apache.logging.log4j:log4j-core: 2.14.1 -> 2.17.0 Proof of Concept

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)

[DK7705]

This upgrade from version 2.14.1 to 2.17.0 is critical for security, as it addresses the series of vulnerabilities related to Log4Shell (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105). However, the fixes introduce significant breaking changes.

Breaking Changes:

• Message Lookups Removed (v2.16.0): Support for message lookups has been completely removed. Any log messages that contain lookup patterns like ${ctx:key} will no longer be interpreted. This was a primary vector for the Log4Shell vulnerability.
• JNDI Disabled by Default (v2.16.0): JNDI is now disabled by default. The system property log4j2.enableJndi was also removed.
• JNDI Properties Changed (v2.17.0): The single property to enable JNDI was replaced by more granular properties: log4j2.enableJndiLookup, log4j2.enableJndiJms, and log4j2.enableJndiContextSelector.
• Recursive Lookups Disabled (v2.17.0): To prevent denial-of-service attacks (CVE-2021-45105), recursive evaluation of lookups in log events is now disabled.

Recommendation:

This is a mandatory security upgrade. Developers must verify that application code and logging configurations do not rely on the removed message lookup functionality. Any use of JNDI features must be explicitly re-enabled using the new system properties in v2.17.0. Thoroughly test logging behavior after the upgrade.

Source: Apache Log4j Release Notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.