Upgrade org.apache.logging.log4j:log4j-core and log4j-api libraries

[Dilli-Babu-Godari]

Description

Upgraded org.apache.logging.log4j:log4j-core from 2.17.1 to 2.24.3
Upgraded org.apache.logging.log4j:log4j-api from 2.17.1 to 2.24.3

Motivation and Context

Addresses below CVEs

Impact

Test Plan

Contributor checklist

• Please make sure your submission complies with our co
  ntributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

General Changes
*  Upgraded org.apache.logging.log4j:log4j-core from 2.17.1 to 2.24.3 in response to `CVE-2024-47554<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47554>`
*  Upgraded org.apache.logging.log4j:log4j-api from 2.17.1 to 2.24.3 in response to `CVE-2024-47554 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47554>`

[imjalpreet]

@Dilli-Babu-Godari, I noticed that these libraries are also included with version 2.17.1 in presto-druid. Is there a specific reason we’re not upgrading them as well? Could you take a look?

[Dilli-Babu-Godari]

@Dilli-Babu-Godari, I noticed that these libraries are also included with version 2.17.1 in presto-druid. Is there a specific reason we’re not upgrading them as well? Could you take a look?

I have now added the presto-druid as well. Could you please review it again?

[agrawalreetika]

@Dilli-Babu-Godari Please verify both the dependency by checking the dependency tree, I still see these 2 are coming from some more packages.

[Dilli-Babu-Godari]

@Dilli-Babu-Godari Please verify both the dependency by checking the dependency tree, I still see these 2 are coming from some more packages.

I have made changes, so the versions are now aligned.

[steveburnett]

In the release note entries, please add a link to a CVE. See Phrasing in the Release Notes Guidelines for an example and formatting. Because there are so many CVEs shown in this one, choose an appropriate CVE - perhaps the most recent one?

[imjalpreet]

@Dilli-Babu-Godari thanks for the changes. Can you also confirm the output of the below commands:

./mvnw dependency:tree -Dincludes=org.apache.logging.log4j:log4j-api

./mvnw dependency:tree -Dincludes=org.apache.logging.log4j:log4j-core

[steveburnett]

In the release note entries, please add a link to a CVE. See Phrasing in the Release Notes Guidelines for an example and formatting. Because there are so many CVEs shown in this one, choose an appropriate CVE - perhaps the most recent one?

Thank you!

[Dilli-Babu-Godari]

@Dilli-Babu-Godari thanks for the changes. Can you also confirm the output of the below commands:

./mvnw dependency:tree -Dincludes=org.apache.logging.log4j:log4j-api

./mvnw dependency:tree -Dincludes=org.apache.logging.log4j:log4j-core

Build is successful and the modules are having respective upgraded versions of log4j-core and log4j-api

[imjalpreet]

@Dilli-Babu-Godari LGTM, I am approving the PR but I have one minor request. The commit message exceeds the single-line character limit. Please update it to the following::

Upgrade log4j-core and log4j-api dependencies

Upgrade org.apache.logging.log4j:log4j-core from 2.17.1 to 2.24.3
Upgrade org.apache.logging.log4j:log4j-api from 2.17.1 to 2.24.3

Fixes almost 25 CVEs.

[aaneja]

@agrawalreetika @imjalpreet @jaystarshot
Are we sure we want to take a direct dependency on Log4J ? We do not use this library for logging in Presto (we use Airlift). We of course, cannot control the deps of the connectors, but IMO we should avoid it in presto-root / presto-main

[jaystarshot]

@aaneja That makes sense to me. Would you be willing to handle the fix or revert?

[imjalpreet]

@aaneja Would it be a problem since we are just adding it in the DependencyManagement section of root pom to control the version? As part of the dependencies, it's still only included in the required connectors. Please let me know if I'm misunderstanding anything.

[aaneja]

@imjalpreet You're right that it doesn't bring it in to specific modules unless referenced. However, I would like to avoid the reference/temptation to refer to Log4J for the core modules. Having connectors take a hard reference to Log4J (when needed) seems like a good compromise

[Dilli-Babu-Godari]

@aaneja I have raised a seperate PR 24605 and addressed all the comments there.