Log4J2 Vulnerability and Spring Boot
Updates: Since this blog post has been published, a new logback 1.2.9 version has been published. While this fixes a security issue, prerequisites for exploits are very different as they "requires write access to logback's configuration file". Log4J also released a new 2.17.0 version with fixes for CVE-2021-45046 and CVE-2021-45105. Spring Boot
2.5.8
and2.6.2
haven been released and provide dependency management for logback 1.2.9 and Log4J 2.17.0. Log4J 2.17.1 contains a fix for CVE-2021-44832
As you may have seen in the news, a new zero-day exploit has been reported against the popular Log4J2 library which can allow an attacker to remotely execute code. The vulnerability has been reported with CVE-2021-44228 against the log4j-core
jar and has been fixed in Log4J v2.15.0…