I want to find all usages of log4j prior to the current version (2.15.0).

I tried using maven's "mvn dependency:tree", used several tools (dependency-check, grype (didn't work for me), syft (didn't work for me), log4j-detector) but they only list the classes which were generated after specifying them in the pom.xml.

But - and this is my concern:

E.g. There is a library which I am using called hibernate-validator (Hibernate Validator Engine). I am sure this engine uses Jboss logging, which in turn uses log4j 2.11.2, but none of my tools above warned me of this. How can I find out, which libraries use log4j?

Or are external libraries not a threat for this exploit?

Please advise.

CodePudding user response：

Hibernate Validator lead here. You don't have it in your dependency tree because it is not used at all by Hibernate Validator nor by JBoss Logging.

Hibernate Validator has a test dependency to Log4j 2 but it's only a test dependency. Thus why you don't see it in your dependency tree, which is accurate.

I'm in the process of releasing new HV versions with an updated test dependency but it is not a problem for your applications, they won't depend on Log4j 2 through Hibernate Validator.

See https://github.com/hibernate/hibernate-validator/blob/main/engine/pom.xml#L119 .

CodePudding user response：

Logging interfaces such as JBoss logging, Jakarta Commons Logging, SLF4J and Log4j 2.x API (which is different from the vulnerable log4j-core) do not depend directly on any logging backend.

By default they choose their backend according to the classes they find in the classpath: if you don't have log4j-core version 2.14.1 or earlier on your classpath, they will not use it.

The worst case scenario you can get: if they don't find a backend, they revert to a default, which might be logging to the console or not logging at all.

Edit: see this question on how to force Maven to only use Log4j 2.15.0 (if it is at all needed).