Are there any ways to fix Log4j vulnerability when it is being used as a transitive dependency

Question

My project has a transitive dependency on log4j v1.2.16 through org.mobicents.servlet.sip package used in my project as a direct dependency.

But org.mobicents.servlet.sip is no longer actively developed.

Are there any options to fix this vulnerability other than waiting for org.mobicents.servlet.sip to fix the issue.

score 1 · Answer 1 · answered Jan 19 '22 at 12:01

You may want to use the log4j-1.2-api bridge. To do this

exclude dependency towards log4j 1.x (mind the different groupid, which has changed between 1.x and 2.x)

<dependencies>
  <dependency>
    <groupId>org.mobicents.servlet.sip</groupId>
    <artifactId>sip-servlets-spec</artifactId>
    <exclusions>
      <exclusion>
        <groupId>log4j</groupId><artifactId>log4j</artifactId>
      </exclusion>
    </exclusions>
  </dependency>

add dependency towards log4j 2.17.1, with the bridge

<dependency><groupId>org.apache.logging.log4j</groupId><artifactId>log4j-api</artifactId><version>2.17.1</version></dependency>
<dependency><groupId>org.apache.logging.log4j</groupId><artifactId>log4j-1.2-api</artifactId><version>2.17.1</version></dependency>
<dependency><groupId>org.apache.logging.log4j</groupId><artifactId>log4j-core</artifactId><version>2.17.1</version></dependency>

Looks like `sip-servlets-spec` does some programmatic configurations on legacy log4j, tried this and doesn't seem to work. Thanks. — Suthan S M, Jan 19 '22 at 15:02

score 0 · Accepted Answer · answered Feb 04 '22 at 13:45

The final solution was to explode the log4j-1.2.17.jar, remove the affected classes SocketServer.class and JMSAppender.class, create a custom jar and use it.

Commands used to explode and create new jar was taken from below stackoverflow answer

Reference: https://stackoverflow.com/a/16806235/8864570

Are there any ways to fix Log4j vulnerability when it is being used as a transitive dependency

2 Answers2