A severe security vulnerability was found for log4j2 <= 2.14.1 (see https://nvd.nist.gov/vuln/detail/CVE-2021-44228). How can I update the pom.xml of a Spring Boot application to make sure that all (recursive) usages of log4j2 use version 2.15.0?
What is the easiest way in Maven pom.xml to upgrade all usages of log4j2 to 2.15.0, including dependencies using log4j2? See CVE-2021-44228
8k views Asked by thomas.schuerger AtThere are 5 answers
Updates:
- 2022/01/04:
Log4J 2.17.1 contains a fix for CVE-2021-44832
- 2021/12/22:
Spring Boot 2.5.8 and 2.6.2 haven been released and provide dependency management for logback 1.2.9 and Log4J 2.17.0.
- 2.17.0 fixes CVE-2021-45105
- 2.12.2 released (2021/12/14)
- 2.16.0 fixes also CVE-2021-45046
OP:
spring-boot "by default" is NOT AFFECTED by CVE-2021-44228(log4shell).
Though versions [2 - 2.6.1]
(any -starter
) depend on log4j-api
and slf4j-to-log4j
,
Slf4j says:
If you are using log4j-over-slf4j.jar in conjunction with the SLF4J API, you are safe unless the underlying implementation is log4j 2.x.
To be sure,
in maven inspect the output of:
mvn dependency:tree -Dincludes='*log4j*'
in gradle:
gradle -q dependencyInsight --dependency log4j
Having spring-boot-starter-log4j2
on board
We are definitely affected (with spring-boot > 1)!
To (fix via) update, the easiest is probably:
maven:
<properties> ... <log4j2.version>2.17.1</log4j2.version><!-- as of 2021/12/28 --> </properties>
..in the pom.
gradle:
ext['log4j2.version'] = '2.17.1'
.. in build.gradle, or:
log4j2.version=2.17.1
.. in gradle.properties.
...build, test, release, deploy.
Links:
Generally for maven projects, you can force log4j-core version with deps mgmt.
<dependencyManagement>
<dependencies>
...
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.0</version>
</dependency>
...
</dependencies>
</dependencyManagement>
After this, make sure this pom.xml and all inheriting pom.xml do define log4j deps without tag so that they will all benefit from this centralized change.
As per the apache site, the the minimum acceptable level for log4j is now 2.17.1 - The mitigation is to upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).
This will also stipulate spring-boot-starter-log4j2's log4j2 components version.
Following up @Piotr P. Karwasz's recommendation, that's a better setting choice.
Update:
By the way, If the project's log4j dependencies are only from spring-boot-starter-log4j2, it has a definitive setting way, refer to spring blog