Upgrade org.apache.logging.log4j:log4j-core and log4j-api libraries

[Dilli-Babu-Godari]

Description

Upgraded org.apache.logging.log4j:log4j-core from 2.17.1 to 2.24.3
Upgraded org.apache.logging.log4j:log4j-api from 2.17.1 to 2.24.3

Motivation and Context

Addresses below CVEs

Impact

Test Plan

Contributor checklist

• Please make sure your submission complies with our co
  ntributing guide, in particular code style and commit standards.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

General Changes
*  Upgraded org.apache.logging.log4j:log4j-core from 2.17.1 to 2.24.3 in response to `CVE-2024-47554<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47554>`
*  Upgraded org.apache.logging.log4j:log4j-api from 2.17.1 to 2.24.3 in response to `CVE-2024-47554 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47554>`

[imjalpreet]

@Dilli-Babu-Godari, I noticed that these libraries are also included with version 2.17.1 in presto-druid. Is there a specific reason we’re not upgrading them as well? Could you take a look?

[Dilli-Babu-Godari]

@Dilli-Babu-Godari, I noticed that these libraries are also included with version 2.17.1 in presto-druid. Is there a specific reason we’re not upgrading them as well? Could you take a look?

I have now added the presto-druid as well. Could you please review it again?

[agrawalreetika]

@Dilli-Babu-Godari Please verify both the dependency by checking the dependency tree, I still see these 2 are coming from some more packages.

[Dilli-Babu-Godari]

@Dilli-Babu-Godari Please verify both the dependency by checking the dependency tree, I still see these 2 are coming from some more packages.

I have made changes, so the versions are now aligned.

[steveburnett]

In the release note entries, please add a link to a CVE. See Phrasing in the Release Notes Guidelines for an example and formatting. Because there are so many CVEs shown in this one, choose an appropriate CVE - perhaps the most recent one?

[imjalpreet]

@Dilli-Babu-Godari thanks for the changes. Can you also confirm the output of the below commands:

./mvnw dependency:tree -Dincludes=org.apache.logging.log4j:log4j-api

./mvnw dependency:tree -Dincludes=org.apache.logging.log4j:log4j-core

[imjalpreet]

Since we have moved the dependencies to root pom, we can remove the version in this pom for both the dependencies.

presto/presto-druid/pom.xml

Line 181 in e84e4d2

<version>${dep.log4j.version}</version>

presto/presto-druid/pom.xml

Line 188 in e84e4d2

<version>${dep.log4j.version}</version>

[imjalpreet]

Since we have moved the dependencies to root pom, we can remove the version in this pom as well for both the dependencies.

presto/presto-elasticsearch/pom.xml

Line 183 in e84e4d2

<version>${dep.log4j.version}</version>

presto/presto-elasticsearch/pom.xml

Line 176 in e84e4d2

<version>${dep.log4j.version}</version>

[Dilli-Babu-Godari]

I have removed the version tag. Could you please review again ?

[imjalpreet]

Can you also confirm the output of the below commands:

./mvnw dependency:tree -Dincludes=org.apache.logging.log4j:log4j-api

./mvnw dependency:tree -Dincludes=org.apache.logging.log4j:log4j-core

@Dilli-Babu-Godari Can you also share these?

[steveburnett]

In the release note entries, please add a link to a CVE. See Phrasing in the Release Notes Guidelines for an example and formatting. Because there are so many CVEs shown in this one, choose an appropriate CVE - perhaps the most recent one?

Thank you!

[Dilli-Babu-Godari]

@Dilli-Babu-Godari thanks for the changes. Can you also confirm the output of the below commands:

./mvnw dependency:tree -Dincludes=org.apache.logging.log4j:log4j-api

./mvnw dependency:tree -Dincludes=org.apache.logging.log4j:log4j-core

Build is successful and the modules are having respective upgraded versions of log4j-core and log4j-api

[imjalpreet]

@Dilli-Babu-Godari LGTM, I am approving the PR but I have one minor request. The commit message exceeds the single-line character limit. Please update it to the following::

Upgrade log4j-core and log4j-api dependencies

Upgrade org.apache.logging.log4j:log4j-core from 2.17.1 to 2.24.3
Upgrade org.apache.logging.log4j:log4j-api from 2.17.1 to 2.24.3

Fixes almost 25 CVEs.