The Log4J2 vulnerability
Posted By : Amarnath Kumar | 30-Mar-2022
Log4J2 vulnerability:- As we may have seen in the news, a new zero-day exploit has been reported against the popular Log4J2 library that could allow an attacker to execute code remotely.
- The vulnerability has been fixed in Log4J v2.15.0. Spring Boot users are affected by this vulnerability only if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be used by themselves.
- Applications using only log4j-core and including user input in log messages are vulnerable.
- In upcoming version, v2.5.8 and v2.6.2 releases (due December 23, 2021) will adopt Log4J v2.17.0, but since this is such a serious vulnerability, you can override our dependency management and add your Log4J2 dependencies soon can upgrade.
Maven :-
In Maven you can use the following instruction and set the log4j2.version property.
For example, if you're using our native pom you can set the log4j2.version property:
<properties>
<log4j2.version>2.17.1</log4j2.version>
</properties>
If you're not using our parent, but instead importing the spring-boot-dependency BOM, you'll need to use the section:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.17.1</version>
<scope>import</scope>
<type>pom</type>
</dependency>
... other dependencies including spring-boot-dependencies
</dependencies>
</dependencyManagement>
To check that an override has been applied ./mvnw dependency:list | grep log4j and check that the version is 2.17.
Gradle :-
For Gradle users, you can follow these instructions and update the Version property, import the BOM, or use the Resolve strategy.
For most users, setting the log4j2.version property will be sufficient :
ext['log4j2.version'] = '2.17.1'
If you are using Gradle's platform support instead of our dependency management plugin you can add a dependency to the Log4J BOM:
implementation(platform("org.apache.logging.log4j:log4j-bom:2.17.1"))
And you can declare a resolution strategy if you can't use any of these methods:
configurations.all {
resolutionStrategy.eachDependency { DependencyResolveDetails details ->
if (details.requested.group == 'org.apache.logging.log4j') {
details.useVersion '2.17.1'
}
}
}
Whichever method you choose, you can run ./gradlew dependencyInsight --dependencies log4j-core and check version 2.17.
Cookies are important to the proper functioning of a site. To improve your experience, we use cookies to remember log-in details and provide secure log-in, collect statistics to optimize site functionality, and deliver content tailored to your interests. Click Agree and Proceed to accept cookies and go directly to the site or click on View Cookie Settings to see detailed descriptions of the types of cookies and choose whether to accept certain cookies while on the site.
About Author
Amarnath Kumar
Amarnath Kumar is a highly skilled Backend Developer with over 2+ years of experience in the industry. He is well-versed in the latest technologies and has hands-on experience in Core Java, Spring-Boot, Spring-Security, Hibernate, Apache Kafka messaging queue, and Blockchain application development based on Ethereum, Tron, and Relational databases like MySQL and PostgreSQL. He is proficient in API implementations, Web Services, Socket programming, and code enhancements. He has contributed significantly to the company's success through his work on various client projects, including Wethio-Exchange, Hedgex Exchange, and many more. He enjoys reading and exploring new technologies to enhance his knowledge and expertise.