In my spring boot application, I'm using log4j2.

<dependency>
   <groupId>org.springframework.boot</groupId>
   <artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>

Which is by default picking up version -

<version>2.1.6.RELEASE</version>

This version of log4j2 internally uses log4j:

<dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-core</artifactId>
  <version>2.11.2</version>
  <scope>compile</scope>
</dependency>

Recently it has been announced - log4j has some serious vulnerabilities till version 2.16.

Also no version of log4j2 till now uses safer version - 2.17 of log4j.

So I want to first try to update my pom to use 2.17 version of log4j without changing parent log4j2 version.

I know it might not work & might give compilation issues, but I still want to try it first.

How can I do that?

CodePudding user response：

You can use <dependencyManagement>:

<dependencyManagement>
    <dependency>
        <groupId>org.apache.logging.log4j</groupId>
       <artifactId>log4j-core</artifactId>
       <version>[2.17,)</version>
    </dependency>
</dependencyManagement>

This configures the dependency log4j-core (if it exists) to use version 2.17 or later (see Version Range References).

Put the dependencyManagement section next to your dependencies section.

CodePudding user response：

I would suggest to define log4j via bom file like this:

  <dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-bom</artifactId>
    <version>2.17.0</version>
    <scope>import</scope>
    <type>pom</type>
  </dependency>