HHH-20334 Upgrade to Log4j 2.25.4

yrodiere · yrodiere · commit 697d343c3f79 · 2026-04-13T10:00:38.000+02:00
Technically we only: 1. Use it for testing 2. Have an API dependency in hibernate-testing, which provides some tools to work with log4j So the various CVEs are not really relevant: * https://logging.apache.org/security.html#CVE-2026-34478 * https://logging.apache.org/security.html#CVE-2026-34479 * https://logging.apache.org/security.html#CVE-2026-34481 Still, let’s avoid the noise related to automated tools reporting the problem.
diff --git a/settings.gradle b/settings.gradle
@@ -166,7 +166,7 @@ dependencyResolutionManagement {
             def bytemanVersion = version "byteman", "4.0.20"
             def jbossJtaVersion = version "jbossJta", "7.0.0.Final"
             def jbossTxSpiVersion = version "jbossTxSpi", "8.0.0.Final"
-            def log4jVersion = version "log4j", "2.17.1"
+            def log4jVersion = version "log4j", "2.25.4"
             def mockitoVersion = version "mockito", "5.2.0"
             //Compatible with JDK20
             def shrinkwrapVersion = version "shrinkwrap", "1.2.6"
