Home > Software engineering >  Get rid of spring-boot-starter-data-mongodb dependency on vulnerable Log4J version
Get rid of spring-boot-starter-data-mongodb dependency on vulnerable Log4J version

Time:12-14

Given that Log4J 2.x is suffering from a major remote code execution vulnerability (Check vulnerability), I started taking a look at my project dependencies to see if I use Log4J through e.g. slf4j and luckily I am not.

But I found another dependency on Log4J through spring-boot-starter-data-mongodb. Last version of the package was produced on Nov. 2021, so the issue is not mitigated there.

How can I get rid of the dependency without getting rid of spring-boot-starter-data-mongodb as I rely heavily on it.

➜  mvn dependency:tree | grep -B 5 log4j
[INFO]  - org.springframework.boot:spring-boot-starter-data-mongodb:jar:2.2.5.RELEASE:compile
[INFO] |   - org.springframework.boot:spring-boot-starter:jar:2.2.5.RELEASE:compile
[INFO] |  |   - org.springframework.boot:spring-boot-starter-logging:jar:2.2.5.RELEASE:compile
[INFO] |  |  |   - ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  |  |   - org.apache.logging.log4j:log4j-to-slf4j:jar:2.12.1:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.12.1:compile

CodePudding user response:

Per the Spring blog, you don't need to:

The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.

  • Related