-3

How to fix Log4J vulnerability | CVE 2021-44228 in Spring Boot ? Is there any bug in Log4j 2.15.0 version?

Pratik Dutta
  • 41
  • 1
  • 4

1 Answers1

-1

To fix this vulnerability we need to upgrade 2.x version of log4j to at least 2.16.0 or later.

Steps:

  1. Go to pom.xml of spring boot project
  2. Go to <properties></properties> section
  3. Add <log4j2.version>2.16.0</log4j2.version>
Jeff
  • 3,712
  • 2
  • 22
  • 24
Pratik Dutta
  • 41
  • 1
  • 4
  • Which only applies if you are actually using Log4j2, when using the default, logback you don't need to do anything (although upgrading to logback 1.2.8 to prevent a very unlikely case of the same hack might be wise). So blindly upgrading without investigating if one actuallyl uses isn't the way. Which is explained in details here https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot – M. Deinum Dec 15 '21 at 08:43
  • It's recommend to use 2.16.0 – Pratik Dutta Dec 15 '21 at 16:16
  • 2
    Which only applies **when you are using log4j2** if you aren't you aren't vulnerable. Spring Boot doesn't use log4j2. – M. Deinum Dec 15 '21 at 18:51