What is the easiest way in Maven pom.xml to upgrade all usages of log4j2 to 2.15.0, including dependencies using log4j2? See CVE-2021-44228

Question

A severe security vulnerability was found for log4j2 <= 2.14.1 (see https://nvd.nist.gov/vuln/detail/CVE-2021-44228). How can I update the pom.xml of a Spring Boot application to make sure that all (recursive) usages of log4j2 use version 2.15.0?

Answer 1

This will also stipulate spring-boot-starter-log4j2's log4j2 components version.

<dependencyManagement>
    <dependencies>
        ...
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j</artifactId>
            <version>2.17.0</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
        ...
    </dependencies>
</dependencyManagement>

Following up @Piotr P. Karwasz's recommendation, that's a better setting choice.
Update:

<dependencyManagement>
    <dependencies>
        ...
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-bom</artifactId>
            <version>2.17.0</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
        ...
    </dependencies>
</dependencyManagement>

By the way, If the project's log4j dependencies are only from spring-boot-starter-log4j2, it has a definitive setting way, refer to spring blog

<properties>
    <log4j2.version>2.17.0</log4j2.version>
</properties>

Answer 2

Updates:

• 2022/01/04:

  Log4J 2.17.1 contains a fix for CVE-2021-44832

• 2021/12/22:

  Spring Boot 2.5.8 and 2.6.2 haven been released and provide dependency management for logback 1.2.9 and Log4J 2.17.0.

• 2.17.0 fixes CVE-2021-45105
• 2.12.2 released (2021/12/14)
• 2.16.0 fixes also CVE-2021-45046

---

OP:

spring-boot "by default" is NOT AFFECTED by CVE-2021-44228(log4shell).

Though versions [2 - 2.6.1] (any -starter) depend on log4j-api and slf4j-to-log4j, Slf4j says:

If you are using log4j-over-slf4j.jar in conjunction with the SLF4J API, you are safe unless the underlying implementation is log4j 2.x.

To be sure,

• in maven inspect the output of:

  mvn dependency:tree -Dincludes='*log4j*'
  

• in gradle:

  gradle -q dependencyInsight --dependency log4j
  

---

Having spring-boot-starter-log4j2 on board

We are definitely affected (with spring-boot > 1)!

To (fix via) update, the easiest is probably:

• maven:

  <properties>
     ...
    <log4j2.version>2.17.1</log4j2.version><!-- as of 2021/12/28 -->
  </properties>
  

  ..in the pom.

• gradle:

  ext['log4j2.version'] = '2.17.1'
  

  .. in build.gradle, or:

  log4j2.version=2.17.1
  

  .. in gradle.properties.

...build, test, release, deploy.

---

Links:

• log4j2-vulnerability-and-spring-boot
• slf4j-log4shell
• CVE-2021-44228
• CVE-2021-45046
• CVE-2021-45105

Answer 3

Now it's recommended to use <log4j2.version>2.16.0</log4j2.version>

Answer 4

Generally for maven projects, you can force log4j-core version with deps mgmt.

<dependencyManagement>
    <dependencies>
        ...
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
            <version>2.17.0</version>
        </dependency>
        ...
    </dependencies>
</dependencyManagement>

After this, make sure this pom.xml and all inheriting pom.xml do define log4j deps without tag so that they will all benefit from this centralized change.

Answer 5

As per the apache site, the the minimum acceptable level for log4j is now 2.17.1 - The mitigation is to upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).