What is the latest stable spring boot version in which log4j vulnerability is fixed?

Question

What is the latest stable spring boot version in which log4j vulnerability is fixed? I need to fix log4j vulnerability in my current project. From mvn dependency:tree command, I could see the spring boot version 2.3.3.RELEASE is referencing to vulnerable log4j version. I need to upgrade to spring boot version where this vulnerability is fixed.

2.3.X is EoL. The latest stable version in which the vulnerability is fixed is 2.6.3 - same as the absolute latest stable version. Or do you mean _oldest_? — Boris the Spider, Jan 25 '22 at 06:19
Strictly speaking Spring Boot is **not** affected by the Log4j vulnerability, but it may depends on a vulnerable version. See [this question](https://stackoverflow.com/q/40390517/11748454) on how to change the version of the Log4j dependencies **without** changing the version of Spring Boot. — Piotr P. Karwasz, Jan 25 '22 at 06:57

score 1 · Answer 1 · answered Jan 30 '22 at 19:35

Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.

v2.5.8 & v2.6.2 releases (due Dec 23, 2021) will pick up Log4J v2.17.0

check https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

What is the latest stable spring boot version in which log4j vulnerability is fixed?

1 Answers1