2

I want to find all usages of log4j prior to the current version (2.15.0).

I tried using maven's "mvn dependency:tree", used several tools (dependency-check, grype (didn't work for me), syft (didn't work for me), log4j-detector) but they only list the classes which were generated after specifying them in the pom.xml.

But - and this is my concern:

E.g. There is a library which I am using called hibernate-validator (Hibernate Validator Engine). I am sure this engine uses Jboss logging, which in turn uses log4j 2.11.2, but none of my tools above warned me of this. How can I find out, which libraries use log4j?

Or are external libraries not a threat for this exploit?

Please advise.

Saph1r0
  • 41
  • 3
  • hi, perhaps expand the packages and look for any jar matching the version (or check the manifest of log4 jars) – jspcal Dec 13 '21 at 18:57
  • Maybe I am misunderstanding the whole thing anyway. E.g. Is this library, jboss-logging, even able to use log4j 2.11.2 or will maven automatically pick the log4j version specificed in the module's pom.xml instead? – Saph1r0 Dec 13 '21 at 19:19

2 Answers2

8

Hibernate Validator lead here. You don't have it in your dependency tree because it is not used at all by Hibernate Validator nor by JBoss Logging.

Hibernate Validator has a test dependency to Log4j 2 but it's only a test dependency. Thus why you don't see it in your dependency tree, which is accurate.

I'm in the process of releasing new HV versions with an updated test dependency but it is not a problem for your applications, they won't depend on Log4j 2 through Hibernate Validator.

See https://github.com/hibernate/hibernate-validator/blob/main/engine/pom.xml#L119 .

Update: to avoid false positives from security scanners, I have released Hibernate Validator 7.0.2.Final and 6.2.1.Final.

Guillaume Smet
  • 9,921
  • 22
  • 29
4

Logging interfaces such as JBoss logging, Jakarta Commons Logging, SLF4J and Log4j 2.x API (which is different from the vulnerable log4j-core) do not depend directly on any logging backend.

By default they choose their backend according to the classes they find in the classpath: if you don't have log4j-core version 2.14.1 or earlier on your classpath, they will not use it.

The worst case scenario you can get: if they don't find a backend, they revert to a default, which might be logging to the console or not logging at all.

Edit: see this question on how to force Maven to only use Log4j 2.15.0 (if it is at all needed).

Piotr P. Karwasz
  • 12,857
  • 3
  • 20
  • 43
  • Thank you for answer and the edit, this is very reassuring to hear. In that linked question, log4j is included with pom and import. In my pom.xml, it was included with just jar and without the scope parameter. Do I need to switch to the new syntax, or does this work identically for "forcing Maven to only use Log4j 2.15.0"? – Saph1r0 Dec 13 '21 at 19:36
  • That answer uses **managed dependencies** (cf. [documentation](https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html#Dependency_Management)), which is different from usual dependencies. If you add a dependency to ``, you must omit that dependency's `` from the usual dependencies. – Piotr P. Karwasz Dec 13 '21 at 19:40