[Snyk] Upgrade org.apache.logging.log4j:log4j-core from 2.3.1 to 2.25.4

[papicella]

Snyk has created this PR to upgrade org.apache.logging.log4j:log4j-core from 2.3.1 to 2.25.4.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 51 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Improper Encoding or Escaping of Output SNYK-JAVA-ORGAPACHELOGGINGLOG4J-15967769	300	No Known Exploit
	Improper Validation of Certificate with Host Mismatch SNYK-JAVA-ORGAPACHELOGGINGLOG4J-14532782	300	No Known Exploit
	Arbitrary Code Execution SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2327339	300	Proof of Concept
	Deserialization of Untrusted Data SNYK-JAVA-ORGAPACHELOGGINGLOG4J-31409	300	Mature
	Man-in-the-Middle (MitM) SNYK-JAVA-ORGAPACHELOGGINGLOG4J-567761	300	No Known Exploit

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[papicella]

This is a major version upgrade across a very wide range of releases, introducing significant breaking changes.

Key Breaking Changes:

• Java Version Requirement: The target version 2.25.4 requires Java 8 or later. The starting version 2.3.1 only required Java 6. [1, 2, 8] Your application environment must be using at least Java 8.
• Removed Modules: As of version 2.25.0, several modules are no longer part of the main release and must be managed separately. This includes log4j-flume-ng, log4j-kubernetes, and log4j-mongodb3. [7] If you use the MongoDB v3 appender, you must migrate to log4j-mongodb4 or the latest log4j-mongodb artifact. [7]
• Configuration Properties: Starting with version 2.24.0, the naming convention for configuration properties was standardized, and old, unofficial property names are no longer supported. [7] You must review your Log4j configuration files for any non-standard property names.
• Security Hardening & Behavioral Changes: In response to major security vulnerabilities, versions from 2.17.x onwards introduced significant behavioral changes. JNDI lookups are now disabled by default, and scripting features must be explicitly enabled via a system property. [4]

Recommendation: Before merging, verify that your project is running on Java 8 or newer. Carefully review your Log4j configuration (log4j2.xml, log4j2.properties, etc.) to ensure compatibility with the new property naming conventions and check for usage of any removed modules like log4j-mongodb3.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[papicella]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.