Log4J2 Vulnerability and Spring Boot

Engineering | Phil Webb | December 10, 2021 | ...

Updates: Since this blog post has been published, a new logback 1.2.9 version has been published. While this fixes a security issue, prerequisites for exploits are very different as they "requires write access to logback's configuration file". Log4J also released a new 2.17.0 version with fixes for CVE-2021-45046 and CVE-2021-45105. Spring Boot 2.5.8 and 2.6.2 haven been released and provide dependency management for logback 1.2.9 and Log4J 2.17.0. Log4J 2.17.1 contains a fix for CVE-2021-44832

As you may have seen in the news, a new zero-day exploit has been reported against the popular Log4J2 library which can allow an attacker to remotely execute code. The vulnerability has been reported with CVE-2021-44228 against the log4j-core jar and has been fixed in Log4J v2.15.0.

Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.

Our upcoming v2.5.8 & v2.6.2 releases (due Dec 23, 2021) will pick up Log4J v2.17.0, but since this is such a serious vulnerability you may want to override our dependency management and upgrade your Log4J2 dependency sooner.

Maven

For Maven users, you can follow these instructions and the set the log4j2.version property.

For example, if you are using our parent POM you can set the log4j2.version property:

<properties>
    <log4j2.version>2.17.1</log4j2.version>
</properties>

If you are not using our parent, but instead are importing the spring-boot-dependencies BOM, you'll need to use a <dependencyManagement> section:

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-bom</artifactId>
            <version>2.17.1</version>
            <scope>import</scope>
            <type>pom</type>
        </dependency>
        ... other dependencies including spring-boot-dependencies
    </dependencies>
</dependencyManagement>

To check that the override as been applied run ./mvnw dependency:list | grep log4j and check that the version is 2.17.1.

Gradle

For Gradle users, you can follow these instructions and update the version property, import the BOM or use aresolutionStrategy.

For most users, setting the log4j2.version property will be sufficient:

ext['log4j2.version'] = '2.17.1'

If you're using Gradle's platform support instead of our dependency management plugin then you can add a dependency to the Log4J BOM:

implementation(platform("org.apache.logging.log4j:log4j-bom:2.17.1"))

And if you can’t use either of those methods then you can declare a resolutionStrategy:

configurations.all {
	resolutionStrategy.eachDependency { DependencyResolveDetails details ->
		if (details.requested.group == 'org.apache.logging.log4j') {
			details.useVersion '2.17.1'
		}
	}
}

Whichever method you choose, to check that the override has been applied you can run ./gradlew dependencyInsight --dependency log4j-core and look for version 2.17.1.

Get the Spring newsletter

Stay connected with the Spring newsletter

Subscribe

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all