Home > database >  How to fix log4j vulnerability - Gradle
How to fix log4j vulnerability - Gradle

Time:12-15

as it is known, log4j vulnerability has emerged. How can we close this gap in our own projects? Do we have a chance to push a version on gradle?

CodePudding user response:

My own solution to help

constraints{
        implementation("org.apache.logging.log4j:log4j-core"){
            version{
                strictly("[2.15,3[")
                prefer("2.15.0")
            }
            because("CVE-2021-44228 : Log4j is vulnerable to remote code execution")
        }
    }

CodePudding user response:

This is the solution we used in our spring-boot project where we manage dependencies using the enforcedPlatform method:

dependencies {
  api(enforcedPlatform("org.springframework.boot:spring-boot-dependencies:${springBootVersion}")) {
    exclude(group: "org.apache.logging.log4j")
  }
  api(platform("org.apache.logging.log4j:log4j-bom:2.15.0")) {
    because "https://nvd.nist.gov/vuln/detail/CVE-2021-44228"
  }
}

This is designed to be in-place until such time as we're in a position to upgrade to a version of Spring Boot that pulls in the fixed version itself.

  • Related