A severe security vulnerability was found for log4j2 <= 2.14.1 (see https://nvd.nist.gov/vuln/detail/CVE-2021-44228). How can I update the pom.xml of a Spring Boot application to make sure that all (recursive) usages of log4j2 use version 2.15.0?
CodePudding user response:
This will also stipulate spring-boot-starter-log4j2's log4j2 components version.
<dependencyManagement>
<dependencies>
...
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j</artifactId>
<version>2.15.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...
</dependencies>
</dependencyManagement>
Following up @Piotr P. Karwasz's recommendation, that's a better setting choice.
Update:
<dependencyManagement>
<dependencies>
...
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.15.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...
</dependencies>
</dependencyManagement>
By the way, If the project's log4j dependencies are only from spring-boot-starter-log4j2, it has a definitive setting way, refer to spring blog
<properties>
<log4j2.version>2.15.0</log4j2.version>
</properties>
CodePudding user response:
spring-boot "by default" is NOT AFFECTED by CVE-2021-44228(log4shell).
Though versions [2 - 2.6.1] (any -starter) depend on log4j-api and slf4j-to-log4j,
Slf4j says:
If you are using log4j-over-slf4j.jar in conjunction with the SLF4J API, you are safe unless the underlying implementation is log4j 2.x.
To be sure,
in maven inspect the output of:
mvn dependency:tree -Dincludes=*log4j*in gradle:
gradle -q dependencyInsight --dependency log4j
Having spring-boot-starter-log4j2 on board
We are definitely affected (with spring-boot > 1)!
To (fix via) update, the easiest is probably:
maven:
<properties> ... <log4j2.version>2.16.0</log4j2.version><!-- as of 2021/12/13 --> </properties>..in the pom.
gradle:
log4j2.version=2.16.0.. in gradle.properties.
...build, test, release, deploy. ;(;(;(