A severe security vulnerability was found for log4j2 <= 2.14.1 (see https://nvd.nist.gov/vuln/detail/CVE-2021-44228). How can I update the pom.xml of a Spring Boot application to make sure that all (recursive) usages of log4j2 use version 2.15.0?
Asked
Active
Viewed 7,634 times
3
-
Please check this setting way. https://stackoverflow.com/a/70329703/7235707 – tombear Dec 13 '21 at 10:00
5 Answers
5
Updates:
- 2022/01/04:
Log4J 2.17.1 contains a fix for CVE-2021-44832
- 2021/12/22:
Spring Boot 2.5.8 and 2.6.2 haven been released and provide dependency management for logback 1.2.9 and Log4J 2.17.0.
- 2.17.0 fixes CVE-2021-45105
- 2.12.2 released (2021/12/14)
- 2.16.0 fixes also CVE-2021-45046
OP:
spring-boot "by default" is NOT AFFECTED by CVE-2021-44228(log4shell).
Though versions [2 - 2.6.1] (any -starter) depend on log4j-api and slf4j-to-log4j,
Slf4j says:
If you are using log4j-over-slf4j.jar in conjunction with the SLF4J API, you are safe unless the underlying implementation is log4j 2.x.
To be sure,
in maven inspect the output of:
mvn dependency:tree -Dincludes='*log4j*'in gradle:
gradle -q dependencyInsight --dependency log4j
Having spring-boot-starter-log4j2 on board
We are definitely affected (with spring-boot > 1)!
To (fix via) update, the easiest is probably:
maven:
<properties> ... <log4j2.version>2.17.1</log4j2.version><!-- as of 2021/12/28 --> </properties>..in the pom.
gradle:
ext['log4j2.version'] = '2.17.1'.. in build.gradle, or:
log4j2.version=2.17.1.. in gradle.properties.
...build, test, release, deploy.
Links:
xerx593
- 12,237
- 5
- 33
- 64
3
This will also stipulate spring-boot-starter-log4j2's log4j2 components version.
<dependencyManagement>
<dependencies>
...
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j</artifactId>
<version>2.17.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...
</dependencies>
</dependencyManagement>
Following up @Piotr P. Karwasz's recommendation, that's a better setting choice.
Update:
<dependencyManagement>
<dependencies>
...
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.17.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...
</dependencies>
</dependencyManagement>
By the way, If the project's log4j dependencies are only from spring-boot-starter-log4j2, it has a definitive setting way, refer to spring blog
<properties>
<log4j2.version>2.17.0</log4j2.version>
</properties>
tombear
- 91
- 1
- 3
-
2The `log4j` artifact sets the version of many other artifacts that are related to Log4j, but are not part of the Log4j Project. In order to manage the version of only the Log4j artifacts, the `log4j-bom` should be used. – Piotr P. Karwasz Dec 13 '21 at 19:29
-
Is log4j totally/binary backward-compatible? in other words, can it be replaced without changing even a single line of code? https://stackoverflow.com/q/70440185/2365724 – PaoloC Jan 19 '22 at 12:14
3
Now it's recommended to use
<log4j2.version>2.16.0</log4j2.version>
blackgreen
- 34,072
- 23
- 111
- 129
Pratik Dutta
- 41
- 1
- 4
2
Generally for maven projects, you can force log4j-core version with deps mgmt.
<dependencyManagement>
<dependencies>
...
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.0</version>
</dependency>
...
</dependencies>
</dependencyManagement>
After this, make sure this pom.xml and all inheriting pom.xml do define log4j deps without tag so that they will all benefit from this centralized change.
PaoloC
- 3,817
- 1
- 23
- 27
0
As per the apache site, the the minimum acceptable level for log4j is now 2.17.1 - The mitigation is to upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).
Sampada
- 2,931
- 7
- 27
- 39