fix(security): Bump transitive dependency org.apache.logging.log4j:log4j-core to 2.25.3 to fix CVE-2025-68161

[nishithakbhaskaran]

Description

org.apache.logging.log4j:log4j-core 2.17.1 is coming into presto image transitively from presto-pinot module
which introduces the following CVE to presto .

https://nvd.nist.gov/vuln/detail/CVE-2025-68161

This PR fixes the issue by adding the vulnerable free version org.apache.logging.log4j:log4j-core 2.25.3 in dependency management.

Motivation and Context

Impact

Test Plan

Contributor checklist

• Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.
• If adding new dependencies, verified they have an OpenSSF Scorecard score of 5.0 or higher (or obtained explicit TSC approval for lower scores).

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Upgrade transitive dependency org.apache.logging.log4j:log4j-core to 2.25.3 to fix `CVE-2025-68161 <https://nvd.nist.gov/vuln/detail/CVE-2025-68161>`_.

[agrawalreetika]

Thanks for the PR @nishithakbhaskaran
Can you attach the details/screenshots of before and after dependency tree, how it is coming as a transitive dependency?

Also plan to run sanity integration tests for some of the queries in pinot connector as ci doesn't have pinot image.

[nishithakbhaskaran]

Thanks for the PR @nishithakbhaskaran Can you attach the details/screenshots of before and after dependency tree, how it is coming as a transitive dependency?

Also plan to run sanity integration tests for some of the queries in pinot connector as ci doesn't have pinot image.

Below are the dependency before and after the fix.

dependency-after.txt
dependency-before.txt

It is coming as transitive dependency from org.apache.helix:helix-core:jar:1.3.1 jar

Tested pinot connector queries is updated in Test Plan

[agrawalreetika]

Thanks @nishithakbhaskaran LGTM

[imjalpreet]

I see that in the dependency tree shared above, we also have log4j-slf4j-impl dependency from the same group ID. Earlier both log4j-core and log4j-slf4j-impl were of the same version but now they are different. I think we could upgrade both to avoid any incompatibilities.

[nishithakbhaskaran]

I see that in the dependency tree shared above, we also have log4j-slf4j-impl dependency from the same group ID. Earlier both log4j-core and log4j-slf4j-impl were of the same version but now they are different. I think we could upgrade both to avoid any incompatibilities.

@imjalpreet Thanks for the review. It sounds relevant. I could also see org.apache.logging.log4j:log4j-api:jar:2.17.1:compile.
Lets change that as well to the latest version?

[INFO] | | | +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.1:compile
[INFO] | | | | - org.apache.logging.log4j:log4j-api:jar:2.17.1:compile
[INFO] | | | +- org.apache.logging.log4j:log4j-core:jar:2.17.1:compile

[imjalpreet]

@nishithakbhaskaran, log4j-api is coming as part of log4j-slf4j-impl, so most likely it will automatically get updated when you upgrade slf4j.

[nishithakbhaskaran]

@nishithakbhaskaran, log4j-api is coming as part of log4j-slf4j-impl, so most likely it will automatically get updated when you upgrade slf4j.

@imjalpreet Updated accordingly.

[hantangwangd]

Thanks @nishithakbhaskaran, looks good to me!