Bump log4j from 2.21.0 to 2.25.3

[cwperks]

Description

We previously had to revert the log4j version bump due to some bugs in log4j that have since been resolved.

Log4j release notes: https://logging.apache.org/log4j/2.x/release-notes.html

Re-opening this as log4j is bringing in outdated dependencies with known CVEs so I think we should do the maintenance.

Check List

• Functionality includes testing.
• API changes companion pull request created, if applicable.
• Public documentation issue/PR created, if applicable.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

Summary by CodeRabbit

• Chores

  • Upgraded Log4j to 2.25.3 across multiple modules and updated associated checksum/license records.
  • Added error_prone_annotations to the versions catalog and adjusted its usage across builds.

• Tests

  • Updated tests to ignore a benign Log4j initialization message to reduce spurious failures and improved a test's logging output for clarity.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Bumps Log4j artifacts from 2.21.0 to 2.25.3, centralizes an error_prone_annotations version entry, removes module-level error_prone_annotations deps and their license/checksum artifacts, updates thirdPartyAudit ignore lists, and filters a Log4j 2.25+ initialization message from test status assertions.

Changes

Cohort / File(s)	Change Summary
Version catalog & changelog gradle/libs.versions.toml, CHANGELOG.md	Bumped Log4j to 2.25.3; added error_prone_annotations = "2.45.0"; recorded dependency bump in changelog.
Centralized / module error_prone_annotations edits modules/transport-grpc/build.gradle, plugins/arrow-flight-rpc/build.gradle, plugins/repository-gcs/build.gradle, test/logger-usage/build.gradle	Removed module-level com.google.errorprone:error_prone_annotations entries; added centralized compileOnly usage in test/logger-usage.
Build files — core & server audit lists libs/core/build.gradle, server/build.gradle	Added org.osgi.framework.wiring.BundleRevision to ignoreMissingClasses; server also adds com.fasterxml.jackson.databind.util.ClassUtil, com.lmax.disruptor.EventHandler, removes some org.fusesource.jansi.* ignores, adds jspecify and error_prone_annotations compileOnlyApi, and updates ignoreViolations.
License checksum removals (old Log4j / error_prone artifacts) .../licenses/log4j-*-2.21.0.jar.sha1, .../licenses/error_prone_annotations-*.jar.sha1, .../licenses/error_prone_annotations-LICENSE.txt (multiple locations)	Deleted SHA-1 checksum files and some error_prone license files corresponding to removed/updated dependencies.
License checksum additions (Log4j 2.25.3) libs/core/licenses/log4j-api-2.25.3.jar.sha1, server/licenses/log4j-*.2.25.3.jar.sha1, plugins/{crypto-kms,discovery-azure-classic,discovery-ec2,discovery-gce,repository-s3}/licenses/log4j-*.2.25.3.jar.sha1, plugins/repository-hdfs/licenses/log4j-slf4j-impl-2.25.3.jar.sha1	Added SHA-1 checksum files for Log4j 2.25.3 artifacts across server, libs, and multiple plugins.
Repository S3 audit config plugins/repository-s3/build.gradle	Removed org.slf4j.ext.EventData from ignoreMissingClasses in thirdPartyAudit.
Test change — Log4j status filtering test/framework/src/main/java/org/opensearch/test/OpenSearchTestCase.java	Filters out a known Log4j 2.25+ initialization message from collected StatusData before formatting and asserting status messages.
Minor test logging formatting server/src/internalClusterTest/java/.../CompletionSuggestSearchIT.java	Adjusted logging to include loop index and use Arrays.toString(...) for array outputs.

Sequence Diagram(s)

(omitted — changes are dependency/license/test filtering and do not introduce a new multi-component control flow requiring a sequence diagram)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Bump org.apache.logging.log4j:log4j-core from 2.25.2 to 2.25.3 in /buildSrc/src/testKit/thirdPartyAudit/sample_jars #20300 — also updates Log4j to 2.25.3 (related dependency bump across artifacts).

Suggested labels

dependencies, patch

Suggested reviewers

• peternied
• msfroh
• reta

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and concisely summarizes the main change: a version bump of log4j from 2.21.0 to 2.25.3, which matches the core focus of the changeset.
Description check	✅ Passed	The PR description provides context for the version bump, references prior revert, includes log4j release notes link, and acknowledges CVE concerns. While the checklist items remain unchecked, the core sections are complete with meaningful content.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 587cd0b and c0a6057.

📒 Files selected for processing (1)

• server/src/internalClusterTest/java/org/opensearch/search/suggest/CompletionSuggestSearchIT.java

✅ Files skipped from review due to trivial changes (1)

• server/src/internalClusterTest/java/org/opensearch/search/suggest/CompletionSuggestSearchIT.java

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (20)

• GitHub Check: gradle-check
• GitHub Check: assemble (25, ubuntu-24.04-arm)
• GitHub Check: assemble (25, windows-latest)
• GitHub Check: assemble (21, windows-latest)
• GitHub Check: assemble (21, ubuntu-24.04-arm)
• GitHub Check: assemble (25, ubuntu-latest)
• GitHub Check: assemble (21, ubuntu-latest)
• GitHub Check: precommit (25, windows-latest)
• GitHub Check: Analyze (java)
• GitHub Check: precommit (25, macos-15-intel)
• GitHub Check: precommit (25, ubuntu-24.04-arm)
• GitHub Check: precommit (25, ubuntu-latest)
• GitHub Check: precommit (21, windows-2025, true)
• GitHub Check: precommit (21, ubuntu-24.04-arm)
• GitHub Check: precommit (21, ubuntu-latest)
• GitHub Check: precommit (25, macos-15)
• GitHub Check: precommit (21, macos-15-intel)
• GitHub Check: precommit (21, windows-latest)
• GitHub Check: precommit (21, macos-15)
• GitHub Check: detect-breaking-change

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (4)

plugins/repository-s3/licenses/log4j-1.2-api-2.25.3.jar.sha1 (1)

1-1: Checksum matches other modules.

This checksum is identical to other log4j-1.2-api-2.25.3.jar.sha1 files across modules, which is correct. Verification requested in the discovery-gce file applies here as well.

plugins/repository-hdfs/licenses/log4j-slf4j-impl-2.25.3.jar.sha1 (1)

1-1: Checksum matches other modules.

This checksum is identical to the repository-s3 log4j-slf4j-impl-2.25.3.jar.sha1 file, which is correct. Verification requested in that file applies here as well.

plugins/discovery-ec2/licenses/log4j-1.2-api-2.25.3.jar.sha1 (1)

1-1: Checksum matches other modules.

This checksum is identical to other log4j-1.2-api-2.25.3.jar.sha1 files, which is expected. Verification requested in the discovery-gce file applies here.

plugins/crypto-kms/licenses/log4j-1.2-api-2.25.3.jar.sha1 (1)

1-1: Checksum matches other modules.

This checksum is identical to other log4j-1.2-api-2.25.3.jar.sha1 files across modules, which is correct. Verification requested in the discovery-gce file applies here.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1ebe587 and 66fa853.

📒 Files selected for processing (37)

• CHANGELOG.md
• gradle/libs.versions.toml
• libs/core/build.gradle
• libs/core/licenses/log4j-api-2.21.0.jar.sha1
• libs/core/licenses/log4j-api-2.25.3.jar.sha1
• modules/transport-grpc/build.gradle
• modules/transport-grpc/licenses/error_prone_annotations-2.24.1.jar.sha1
• modules/transport-grpc/licenses/error_prone_annotations-LICENSE.txt
• modules/transport-grpc/licenses/error_prone_annotations-NOTICE.txt
• plugins/arrow-flight-rpc/build.gradle
• plugins/arrow-flight-rpc/licenses/error_prone_annotations-2.31.0.jar.sha1
• plugins/arrow-flight-rpc/licenses/error_prone_annotations-LICENSE.txt
• plugins/arrow-flight-rpc/licenses/error_prone_annotations-NOTICE.txt
• plugins/crypto-kms/licenses/log4j-1.2-api-2.21.0.jar.sha1
• plugins/crypto-kms/licenses/log4j-1.2-api-2.25.3.jar.sha1
• plugins/discovery-azure-classic/licenses/log4j-1.2-api-2.21.0.jar.sha1
• plugins/discovery-azure-classic/licenses/log4j-1.2-api-2.25.3.jar.sha1
• plugins/discovery-ec2/licenses/log4j-1.2-api-2.21.0.jar.sha1
• plugins/discovery-ec2/licenses/log4j-1.2-api-2.25.3.jar.sha1
• plugins/discovery-gce/licenses/log4j-1.2-api-2.21.0.jar.sha1
• plugins/discovery-gce/licenses/log4j-1.2-api-2.25.3.jar.sha1
• plugins/repository-gcs/build.gradle
• plugins/repository-hdfs/licenses/log4j-slf4j-impl-2.21.0.jar.sha1
• plugins/repository-hdfs/licenses/log4j-slf4j-impl-2.25.3.jar.sha1
• plugins/repository-s3/build.gradle
• plugins/repository-s3/licenses/log4j-1.2-api-2.21.0.jar.sha1
• plugins/repository-s3/licenses/log4j-1.2-api-2.25.3.jar.sha1
• plugins/repository-s3/licenses/log4j-slf4j-impl-2.21.0.jar.sha1
• plugins/repository-s3/licenses/log4j-slf4j-impl-2.25.3.jar.sha1
• server/build.gradle
• server/licenses/log4j-api-2.21.0.jar.sha1
• server/licenses/log4j-api-2.25.3.jar.sha1
• server/licenses/log4j-core-2.21.0.jar.sha1
• server/licenses/log4j-core-2.25.3.jar.sha1
• server/licenses/log4j-jul-2.21.0.jar.sha1
• server/licenses/log4j-jul-2.25.3.jar.sha1
• test/logger-usage/build.gradle

💤 Files with no reviewable changes (19)

• plugins/repository-gcs/build.gradle
• plugins/crypto-kms/licenses/log4j-1.2-api-2.21.0.jar.sha1
• plugins/arrow-flight-rpc/build.gradle
• server/licenses/log4j-api-2.21.0.jar.sha1
• plugins/repository-s3/licenses/log4j-1.2-api-2.21.0.jar.sha1
• plugins/repository-s3/licenses/log4j-slf4j-impl-2.21.0.jar.sha1
• plugins/discovery-ec2/licenses/log4j-1.2-api-2.21.0.jar.sha1
• plugins/arrow-flight-rpc/licenses/error_prone_annotations-LICENSE.txt
• libs/core/licenses/log4j-api-2.21.0.jar.sha1
• plugins/repository-s3/build.gradle
• plugins/discovery-azure-classic/licenses/log4j-1.2-api-2.21.0.jar.sha1
• modules/transport-grpc/licenses/error_prone_annotations-2.24.1.jar.sha1
• server/licenses/log4j-core-2.21.0.jar.sha1
• modules/transport-grpc/build.gradle
• server/licenses/log4j-jul-2.21.0.jar.sha1
• modules/transport-grpc/licenses/error_prone_annotations-LICENSE.txt
• plugins/repository-hdfs/licenses/log4j-slf4j-impl-2.21.0.jar.sha1
• plugins/arrow-flight-rpc/licenses/error_prone_annotations-2.31.0.jar.sha1
• plugins/discovery-gce/licenses/log4j-1.2-api-2.21.0.jar.sha1

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (20)

• GitHub Check: gradle-check
• GitHub Check: precommit (25, macos-15)
• GitHub Check: precommit (21, ubuntu-24.04-arm)
• GitHub Check: precommit (25, ubuntu-latest)
• GitHub Check: precommit (21, windows-2025, true)
• GitHub Check: precommit (25, ubuntu-24.04-arm)
• GitHub Check: precommit (25, macos-15-intel)
• GitHub Check: precommit (21, ubuntu-latest)
• GitHub Check: precommit (21, macos-15)
• GitHub Check: precommit (21, windows-latest)
• GitHub Check: precommit (25, windows-latest)
• GitHub Check: precommit (21, macos-15-intel)
• GitHub Check: detect-breaking-change
• GitHub Check: assemble (21, ubuntu-latest)
• GitHub Check: assemble (21, ubuntu-24.04-arm)
• GitHub Check: assemble (25, ubuntu-24.04-arm)
• GitHub Check: assemble (25, ubuntu-latest)
• GitHub Check: assemble (25, windows-latest)
• GitHub Check: assemble (21, windows-latest)
• GitHub Check: Analyze (java)

🔇 Additional comments (13)

server/licenses/log4j-jul-2.25.3.jar.sha1 (1)

1-1: SHA-1 checksum verified against Maven Central.

The SHA-1 hash 08bba6d5a56f11931c218c016c96b740e238abbc matches the official log4j-jul-2.25.3.jar artifact from Maven Central.

CHANGELOG.md (1)

35-35: Log4j 2.25.3 addresses SSL/TLS hostname verification issue.

Log4j 2.25.3 resolves CVE-2025-68161, a medium-severity vulnerability affecting Socket Appender's TLS hostname verification in versions 2.0-beta9 through 2.25.2. No additional critical security advisories were identified for this version. However, verification of the specific bugs that triggered any previous revert requires review of the PR description, which is not available in this context.

plugins/repository-s3/licenses/log4j-slf4j-impl-2.25.3.jar.sha1 (1)

1-1: SHA-1 checksum verified against Maven Central.

The stored SHA-1 hash 4a173925524d8f6c3f39ae8954ee348e8244afd7 matches the official log4j-slf4j-impl-2.25.3.jar artifact from Maven Central Repository. Artifact integrity confirmed.

plugins/discovery-gce/licenses/log4j-1.2-api-2.25.3.jar.sha1 (1)

1-1: Verify log4j-1.2-api-2.25.3 checksum against Maven Central.

The checksum a7e550e638a5e534fd944616c5ae665a67e9501e is consistently used across 5 plugins (crypto-kms, discovery-azure-classic, discovery-ec2, discovery-gce, and repository-s3). However, version 2.25.3 is not currently visible in Maven Central public repositories (latest documented version is 2.25.2). Confirm this version exists in your artifact repository and validate the checksum against the official source.

server/licenses/log4j-api-2.25.3.jar.sha1 (1)

1-1: SHA1 checksum format is valid and consistent.

The 40-character hex SHA1 hash matches the corresponding libs/core/licenses/log4j-api-2.25.3.jar.sha1 file, ensuring consistency across modules.

server/licenses/log4j-core-2.25.3.jar.sha1 (1)

1-1: SHA1 checksum format is valid.

The 40-character hex SHA1 hash for log4j-core-2.25.3.jar is correctly formatted.

libs/core/licenses/log4j-api-2.25.3.jar.sha1 (1)

1-1: SHA1 checksum is consistent with server module.

The hash correctly matches server/licenses/log4j-api-2.25.3.jar.sha1, confirming the same artifact is referenced.

plugins/discovery-azure-classic/licenses/log4j-1.2-api-2.25.3.jar.sha1 (1)

1-1: SHA1 checksum is valid and consistent across plugins.

The 40-character hex hash for log4j-1.2-api-2.25.3.jar matches the checksums in other plugin directories (crypto-kms, discovery-ec2, discovery-gce), ensuring consistency.

libs/core/build.gradle (1)

76-76: LGTM! OSGi optional dependency handling.

The addition of org.osgi.framework.wiring.BundleRevision to the ignored classes is consistent with how other OSGi framework classes are already handled. Log4j uses OSGi classes optionally, and they're not available in the OpenSearch runtime environment.

server/build.gradle (3)

245-245: LGTM! Standard handling of optional dependencies.

The additions to ignoreMissingClasses are appropriate:

• com.fasterxml.jackson.databind.util.ClassUtil: Jackson databind utility, likely optionally used by log4j 2.25.3
• com.lmax.disruptor.EventHandler: LMAX Disruptor is used by log4j for async logging
• org.osgi.framework.wiring.BundleRevision: OSGi framework class, consistent with the change in libs/core/build.gradle

These are all optional dependencies that won't be present in the OpenSearch runtime environment.

Also applies to: 293-293, 344-344

---

98-100: Confirm log4j 2.25.3 addresses transitive dependency CVEs.

Log4j 2.25.3 fully addresses CVE-2025-68161, which involves the SocketAppender failing to verify the TLS hostname on peer certificates. Before merging, verify that this CVE and any other transitive dependency vulnerabilities mentioned in the PR motivation are indeed resolved by this upgrade.

---

102-103: These compileOnlyApi dependencies are required by log4j 2.25.3 for Gradle compilation.

Log4j 2.25.3 includes fixes for jspecify and error_prone_annotations dependency version resolution. These annotation libraries are made visible transitively at compile time for Gradle users through Gradle Module Metadata, so they must be explicitly declared in consuming projects like server. The version 1.0.0 for jspecify is the recommended standard.

test/logger-usage/build.gradle (1)

38-38: The error_prone_annotations dependency is correctly required for log4j 2.25.3 compatibility.

The compileOnly declaration addresses an issue in log4j where the error_prone_annotations dependency version property was being erased during POM flattening, which was fixed in log4j 2.25.2+. This dependency must be explicitly declared at compile-time to avoid compilation issues when using log4j 2.25.3. The code in this module does not directly use error_prone annotations, but they are required transitively by log4j itself.

[github-actions]

❌ Gradle check result for 66fa853: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for 587cd0b: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

❌ Gradle check result for c0a6057: FAILURE

Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change?

[github-actions]

✅ Gradle check result for c0a6057: SUCCESS

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.24%. Comparing base (be07784) to head (c0a6057).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@             Coverage Diff              @@
##               main   #20308      +/-   ##
============================================
+ Coverage     73.16%   73.24%   +0.07%     
- Complexity    71744    71807      +63     
============================================
  Files          5795     5795              
  Lines        328304   328304              
  Branches      47281    47281              
============================================
+ Hits         240216   240464     +248     
+ Misses        68822    68553     -269     
- Partials      19266    19287      +21     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[opensearch-trigger-bot]

The backport to 2.19 failed:

The process '/usr/bin/git' failed with exit code 128

To backport manually, run these commands in your terminal:

# Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch/backport-2.19 2.19
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch/backport-2.19
# Create a new branch
git switch --create backport/backport-20308-to-2.19
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 e047211d6174d69e73e76a15fe57676ceb305781
# Push it to GitHub
git push --set-upstream origin backport/backport-20308-to-2.19
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch/backport-2.19

Then, create a pull request where the base branch is 2.19 and the compare/head branch is backport/backport-20308-to-2.19.

[cwperks]

I'll raise a manual backport for this.

[dbwiddis]

FYI, this bump introduced test failures in AD (at least) and maybe other plugins, (probably) due to apache/logging-log4j2#3929, which throws a NPE when rendering Mockito-generated exceptions (missing stack trace metadata).

Testing a workaround until 2.26.x which we should update to when it comes out.