A severe security vulnerability was found for log4j2 <= 2.14.1 (see https://nvd.nist.gov/vuln/detail/CVE-2021-44228). How can I update the pom.xml of a Spring Boot application to make sure that all (recursive) usages of log4j2 use version 2.15.0?
What is the easiest way in Maven pom.xml to upgrade all usages of log4j2 to 2.15.0, including dependencies using log4j2? See CVE-2021-44228
Having
Asked Answered
Please check this setting way. https://mcmap.net/q/1499664/-over-riding-the-log4j2-version-in-a-springboot-starter –
Trimurti
Updates:
- 2022/01/04:
Log4J 2.17.1 contains a fix for CVE-2021-44832
- 2021/12/22:
Spring Boot 2.5.8 and 2.6.2 haven been released and provide dependency management for logback 1.2.9 and Log4J 2.17.0.
- 2.17.0 fixes CVE-2021-45105
- 2.12.2 released (2021/12/14)
- 2.16.0 fixes also CVE-2021-45046
OP:
spring-boot "by default" is NOT AFFECTED by CVE-2021-44228(log4shell).
Though versions [2 - 2.6.1] (any -starter) depend on log4j-api and slf4j-to-log4j,
Slf4j says:
If you are using log4j-over-slf4j.jar in conjunction with the SLF4J API, you are safe unless the underlying implementation is log4j 2.x.
To be sure,
in maven inspect the output of:
mvn dependency:tree -Dincludes='*log4j*'in gradle:
gradle -q dependencyInsight --dependency log4j
Having spring-boot-starter-log4j2 on board
We are definitely affected (with spring-boot > 1)!
To (fix via) update, the easiest is probably:
maven:
<properties> ... <log4j2.version>2.17.1</log4j2.version><!-- as of 2021/12/28 --> </properties>..in the pom.
gradle:
ext['log4j2.version'] = '2.17.1'.. in build.gradle, or:
log4j2.version=2.17.1.. in gradle.properties.
...build, test, release, deploy.
Links:
macos works with command:
mvn dependency:tree -Dincludes='*log4j*' –
Crackpot This will also stipulate spring-boot-starter-log4j2's log4j2 components version.
<dependencyManagement>
<dependencies>
...
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j</artifactId>
<version>2.17.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...
</dependencies>
</dependencyManagement>
Following up @Piotr P. Karwasz's recommendation, that's a better setting choice.
Update:
<dependencyManagement>
<dependencies>
...
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.17.0</version>
<type>pom</type>
<scope>import</scope>
</dependency>
...
</dependencies>
</dependencyManagement>
By the way, If the project's log4j dependencies are only from spring-boot-starter-log4j2, it has a definitive setting way, refer to spring blog
<properties>
<log4j2.version>2.17.0</log4j2.version>
</properties>
The
log4j artifact sets the version of many other artifacts that are related to Log4j, but are not part of the Log4j Project. In order to manage the version of only the Log4j artifacts, the log4j-bom should be used. –
Jarvey Is log4j totally/binary backward-compatible? in other words, can it be replaced without changing even a single line of code? https://mcmap.net/q/1633368/-log4j-2-17-binary-backward-compatibility-direct-replacement/2365724 –
Phip
Now it's recommended to use
<log4j2.version>2.16.0</log4j2.version>
Generally for maven projects, you can force log4j-core version with deps mgmt.
<dependencyManagement>
<dependencies>
...
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.0</version>
</dependency>
...
</dependencies>
</dependencyManagement>
After this, make sure this pom.xml and all inheriting pom.xml do define log4j deps without tag so that they will all benefit from this centralized change.
As per the apache site, the the minimum acceptable level for log4j is now 2.17.1 - The mitigation is to upgrade to Log4j 2.3.2 (for Java 6), 2.12.4 (for Java 7), or 2.17.1 (for Java 8 and later).
© 2022 - 2024 — McMap. All rights reserved.