Upgrade log4j-core to version 2.25.3 due to 3rd-party vulnerability CVE-2025-68161

Current Situation

• JS7 JOC Cockpit ships with Log4j version 2.24.3 which is affected by the CVE-2025-68161 vulnerability, for details see https://nvd.nist.gov/vuln/detail/CVE-2025-68161.
• We rate the impact on JS7 products as Low, because JS7 does not make use of the SocketAppender (with TLS over TCP) in question. To exploit the vulnerability, users must individually add this log appender using TLS connections that would not verify hostnames during key exchange when establishing connections.

Desired Behavior

• JS7 JOC Cockpit should use Log4j version 2.25.3 which addresses the issue.
• While Log4j release 2.25.3 fixes the vulnerability, it includes a severe bug: ThrowableStackTraceRenderer throws NPE when rendering a Throwable with concurrently-mutated suppressions #3929. The NullPointerException denies use of Log4j 2.25.3 with JS7 products. Log4j bug 3929 is known since Sep 2025, however, it is not fixed for current releases in branch 2.25 but for branch 2.26 which is expected to become available not earlier than Sep 2026.

Maintainer Notes

• It is not an option for JS7 products using Log4j 2.25.3 that includes an unacceptable bug. Therefore, the issue is dismissed and will be resumed at a point in time when a working version of Log4j becomes available, probably in Sep 2026.
• For mitigation of the CVE, users should verify from their log4j2.xml configuration files in use for JOC Cockpit, Controller and Agents, if they individually added a SocketAppender using a TLS connection to an untrusted host.  By default no such log appender is used. For details see JS7 - Log Files and Locations.