A severe security vulnerability was found for log4j2 <= 2.14.1 (see https://nvd.nist.gov/vuln/detail/CVE-2021-44228). How can I update the pom.xml of a Spring Boot application to make sure that all (recursive) usages of log4j2 use version 2.15.0?

5

There are 5 answers

2
tombear On

This will also stipulate spring-boot-starter-log4j2's log4j2 components version.

<dependencyManagement>
    <dependencies>
        ...
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j</artifactId>
            <version>2.17.0</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
        ...
    </dependencies>
</dependencyManagement>

Following up @Piotr P. Karwasz's recommendation, that's a better setting choice.
Update:

<dependencyManagement>
    <dependencies>
        ...
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-bom</artifactId>
            <version>2.17.0</version>
            <type>pom</type>
            <scope>import</scope>
        </dependency>
        ...
    </dependencies>
</dependencyManagement>

By the way, If the project's log4j dependencies are only from spring-boot-starter-log4j2, it has a definitive setting way, refer to spring blog

<properties>
    <log4j2.version>2.17.0</log4j2.version>
</properties>
1
xerx593 On

Updates:


OP:

"by default" is NOT AFFECTED by CVE-2021-44228().

Though versions [2 - 2.6.1] (any -starter) depend on log4j-api and slf4j-to-log4j, Slf4j says:

If you are using log4j-over-slf4j.jar in conjunction with the SLF4J API, you are safe unless the underlying implementation is log4j 2.x.

To be sure,

  • in inspect the output of:

    mvn dependency:tree -Dincludes='*log4j*'
    
  • in :

    gradle -q dependencyInsight --dependency log4j
    

Having spring-boot-starter-log4j2 on board

We are definitely affected (with spring-boot > 1)!

To (fix via) update, the easiest is probably:

  • maven:

    <properties>
       ...
      <log4j2.version>2.17.1</log4j2.version><!-- as of 2021/12/28 -->
    </properties>
    

    ..in the pom.

  • gradle:

    ext['log4j2.version'] = '2.17.1'
    

    .. in build.gradle, or:

    log4j2.version=2.17.1
    

    .. in gradle.properties.

...build, test, release, deploy.


Links:

0
Pratik Dutta On

Now it's recommended to use <log4j2.version>2.16.0</log4j2.version>

0
PaoloC On

Generally for maven projects, you can force log4j-core version with deps mgmt.

<dependencyManagement>
    <dependencies>
        ...
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-core</artifactId>
            <version>2.17.0</version>
        </dependency>
        ...
    </dependencies>
</dependencyManagement>

After this, make sure this pom.xml and all inheriting pom.xml do define log4j deps without tag so that they will all benefit from this centralized change.

0
Sampada On

As per the apache site, the the minimum acceptable level for log4j is now 2.17.1 - The mitigation is to upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).