Question: Log4j version support matrix for OpenSearch 3.4 (2.21.0 vs 2.25.x)

[naveen-adobe]

Describe the bug

Description

We upgraded OpenSearch to version 3.4 (RPM, Java 21).

The OpenSearch 3.4 RPM still ships with Apache Log4j 2.21.0:

• log4j-api-2.21.0.jar
• log4j-core-2.21.0.jar
• log4j-jul-2.21.0.jar
• log4j-slf4j-impl-2.21.0.jar (including plugins)

Security scanners are recommending Log4j 2.25.3 or later.
However, manually upgrading Log4j beyond 2.21.x causes startup failures and plugin incompatibilities.

Environment

• OpenSearch version: 3.4.x (RPM)
• OS: Rocky Linux
• Java: OpenSearch bundled JDK (Java 21)
• Security plugin: Enabled
• Plugins: ML, Security, Notifications

Evidence

Output from RPM:

Related component

No response

To Reproduce

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior

Confirmation of the officially supported Apache Log4j version for OpenSearch 3.4,
and clear guidance on whether Log4j versions newer than 2.21.0 are supported
or planned, especially in the context of security scanner recommendations.

Additional Details

Plugins
Please list all plugins currently enabled.

Screenshots
If applicable, add screenshots to help explain your problem.

Host/Environment (please complete the following information):

• OS: [e.g. iOS]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

[github-actions]

@naveen-adobe Please reply to this comment with the relevant component to ensure it gets properly triaged:

• Build
• Clients
• Cluster Manager
• Extensions
• Indexing:Performance
• Indexing:Replication
• Indexing
• Libraries
• Other
• Plugins
• Search:Aggregations
• Search:Performance
• Search:Query Capabilities
• Search:Query Insights
• Search:Relevance
• Search:Remote Search
• Search:Resiliency
• Search:Searchable Snapshots
• Search
• Storage:Durability
• Storage:Performance
• Storage:Remote
• Storage:Snapshots
• Storage

Reply with the component name, and we'll label this issue appropriately.

[andrross]

logj4 has been updated to 2.25.3 in #20308. This will be included in the next release.

[andrross]

@naveen-adobe I'm not surprised that 3.4 doesn't work with swapping out the log4j version at runtime. If you need 3.4 to work with the latest log4j then you can backport #20308 to the 3.4 branch and build your own distribution, or else wait for the 3.5 release.

I'm going to close this issue, but please leave a comment and tag me if you have more questions.

[naveen-adobe]

@andrross when can we expect the 3.5 Release ?

[andrross]

when can we expect the 3.5 Release ?

@naveen-adobe February 10 at the latest. See https://opensearch.org/releases/