Share via

PBI OnPrem Gateway: Need to update the jar log4j-core-2.25.3 to 2.25.4 (May 2026)

Guha, Swapnadeep 0 Reputation points
2026-06-10T03:12:53.6233333+00:00

Dear Microsoft Support Team,

I am writing to request guidance regarding compliance requirements for our Power BI On-Premises Data Gateway deployment.

We recently upgraded our gateway to the May 2026 release. Following this update, we observed that the bundled Apache Log4j version is 2.25.3. However, our organization's strict security policy mandates the use of Log4j-core-2.25.4 or higher to satisfy internal compliance audits.

Could you please provide clarity on the following points:

  • Upgrade Procedure: What is the officially supported method to safely upgrade or replace the Log4j JAR files to version 2.25.4 within the Power BI Gateway installation directory?
  • Manual Replacement: If we manually swap the log4j-core-2.25.3.jar file with the 2.25.4 version, will this break gateway functionality or invalidate our Microsoft support contract?
  • Version Implications: Are there known operational, performance, or compatibility implications when running the May 2026 gateway with Log4j version 2.25.3 versus version 2.25.4?
  • Product Roadmap: Is there an upcoming patch or gateway release planned that will natively include Log4j 2.25.4 or higher?

We look forward to your detailed technical guidance on how to achieve this upgrade securely and within supported guardrails.

Best regards,
Swapnadeep Guha

Microsoft Security | Microsoft Defender | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Guha, Swapnadeep 0 Reputation points
    2026-06-10T03:16:10.8633333+00:00

    I need real time effect on the dashboards with the upgrade to 2.25.4 or higher

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-06-10T03:13:08.07+00:00

    The on-premises data gateway and its bundled components, including Log4j, are serviced only through the official monthly gateway releases. The supported and recommended way to address dependency versions or vulnerabilities is to:

    1. Ensure the gateway is on a currently supported build (one of the last six monthly releases).
    2. Apply newer gateway releases as they become available.

    From the provided information:

    • The May 2026 gateway (version 3000.318) is a supported release.
    • Gateway troubleshooting and security guidance explicitly recommend staying on a supported, up-to-date gateway build and updating when new versions are released.

    Within this context, the following points can be addressed:

    • Upgrade Procedure: There is no documented or supported procedure to selectively upgrade or replace individual third-party JARs (such as log4j-core) inside the on-premises data gateway installation. The supported update path is to upgrade the entire gateway to a newer monthly build using either:
      • The Fabric/Power BI portal UI (Manage Gateways → On-premises data gateways → select gateway → Update), or
      • The Update-DataGatewayClusterMember PowerShell command for programmatic/at-scale updates.
    • Manual Replacement: The documentation does not describe or support manual replacement of internal gateway binaries or libraries. Only full gateway updates are covered. Because manual modification of gateway binaries is not documented as supported, it falls outside the supported configuration model. The only supported way to change bundled components is via an official gateway update.
    • Version Implications (2.25.3 vs 2.25.4): The available content does not provide any comparison or operational, performance, or compatibility notes specific to Log4j 2.25.3 versus 2.25.4 in the gateway. It only states, in the context of Azure SDK for Java, that Log4j 2.16 or later should be used due to CVE-2021-44228. No additional guidance is given about later micro-version differences within the gateway.
    • Product Roadmap / Future Inclusion of 2.25.4+: The context shows that:
      • A new on-premises data gateway build is released monthly.
      • Only the last six releases are supported.
      However, there is no specific roadmap information or commitment about when a particular Log4j micro-version (such as 2.25.4) will be included in a gateway build.

    Given the above, the supported approach to meet internal security requirements is:

    1. Keep the gateway on a supported, current monthly build (for example, May 2026 or later as new versions are released).
    2. Plan to adopt newer gateway releases promptly as they become available, since dependency updates (including Log4j) are delivered only through those official builds.
    3. Avoid manual modification of gateway installation files, including JARs, because such changes are not covered by the documented update and support model.

    For vulnerability management and detection of Log4j-related issues across the environment, Defender Vulnerability Management can be used to discover vulnerable Log4j-core files and Uber-JARs, but remediation for the gateway itself must be via official gateway updates.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.