From 7b3e14f9e39815ef150bbd451224219bb799c549 Mon Sep 17 00:00:00 2001
From: KashKondaka <37753523+KashKondaka@users.noreply.github.com>
Date: Tue, 21 Apr 2026 01:38:53 -0700
Subject: [PATCH] Resolve CVE-2026-34478 by forcing log4j-core to 2.25.4

Details:
Apache Log4j Core's Rfc5424Layout, in versions 2.21.0 through 2.25.3,
is vulnerable to log injection via CRLF sequences due to undocumented
renames of security-relevant configuration attributes. Two distinct
issues affect users of stream-based syslog services who configure
Rfc5424Layout directly:
- The newLineEscape attribute was silently renamed, causing newline
  escaping to stop working for users of TCP framing (RFC 6587), exposing
  them to CRLF injection in log output.
- The useTlsMessageFormat attribute was silently renamed, causing users
  of TLS framing (RFC 5425) to be silently downgraded to unframed TCP
  (RFC 6587), without newline escaping.
Users of the SyslogAppender are not affected, as its configuration
attributes were not modified.

Impact:
Apache Log4j Core's Rfc5424Layout, in versions 2.21.0 through 2.25.3,
is vulnerable to log injection via CRLF sequences due to undocumented
renames of security-relevant configuration attributes.

Fix:
Added force directive for org.apache.logging.log4j:log4j-core:2.25.4 in
the Gradle resolutionStrategy block. Version 2.25.4 corrects the renamed
attributes and restores proper CRLF escaping and TLS framing behavior.

Signed-off-by: KashKondaka <37753523+KashKondaka@users.noreply.github.com>
---
 build.gradle | 1 +
 1 file changed, 1 insertion(+)

diff --git a/build.gradle b/build.gradle
index 3b38a2f71..1597751ec 100644
--- a/build.gradle
+++ b/build.gradle
@@ -149,6 +149,7 @@ configurations {
     all {
         resolutionStrategy {
             force "com.google.guava:guava:32.0.1-jre"
+            force "org.apache.logging.log4j:log4j-core:2.25.4"
         }
     }
 }