4

I am trying to remove all the vulnerable log4j dependencies from my maven project.

I am using log4j 2.16 dependency in my pom and have added exclusions for log4j and sl4j in other dependencies.

Still, whenever I run the maven package goal it downloads log4j 1.2.12 jar.

[INFO] Copying 1 resource
[INFO] 
[INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @ Test ---
Downloading: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom
Downloaded: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.pom (145 B at 0.1 KB/sec)
Downloading: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar
Downloaded: https://repo.maven.apache.org/maven2/log4j/log4j/1.2.12/log4j-1.2.12.jar (350 KB at 101.6 KB/sec)

I even ran the mvn dependency:tree command and it only shows log4j 2.16.

What could be the cause for it to download log4j 1.2.12 jar?

Syed Shahzer
  • 310
  • 4
  • 14

1 Answers1

6

TL;DR: this is not a security concern, but if you think it is, upgrade your maven-compiler-plugin.

Maven plugins, i.e. the libraries that perform the actual work in building your project have also dependencies: log4j-1.2.12 is a (transitive) dependency of maven-compiler-plugin-3.1, which your project uses.

You can list your plugin versions and dependencies with:

mvn dependency:resolve-plugins

The fact that Maven downloads log4j does not mean that it will be packaged with your application.

Remark: Version 3.1 of the maven-compiler-plugin is a rather old version. This version is specified in the default lifecycle bindings and for compatibility reasons will never be upgraded. Nevertheless you should specify a newer version in your POM file, e.g.:

    <build>
        <pluginManagement>
            <plugins>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-compiler-plugin</artifactId>
                    <version>3.10.1</version>
                </plugin>
            </plugins>
        </pluginManagement>
    </build>

Newer version of maven-compiler-plugin do not have a log4j:log4j dependency.

Piotr P. Karwasz
  • 12,857
  • 3
  • 20
  • 43
  • 2
    Tell that to our bosses. Our company is scanning all servers for vulnerable log4j jars and we are being flagged. Dependency seems embedded. – Steven Neiner Mar 10 '22 at 18:59
  • @Piotr P. Karwasz So how can we fix this? Is there a way to exclude this log4j dependency? – thomarkey Jun 01 '22 at 13:23
  • 1
    @thomarkey: you don't need to exclude the dependency. Newer versions of the `maven-compiler-plugin` and other plugins do not have this dependency. – Piotr P. Karwasz Jun 01 '22 at 17:38