Win a copy of Beginning Java 17 Fundamentals: Object-Oriented Programming in Java 17 this week in the Java in General forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Tim Cooke
  • Campbell Ritchie
  • Ron McLeod
  • Liutauras Vilda
  • Jeanne Boyarsky
Sheriffs:
  • Junilu Lacar
  • Rob Spoor
  • Paul Clapham
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Jesse Silverman
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Piet Souris
  • Frits Walraven

IMPORTANT - Spring Boot and the Log4j exploit

 
Saloon Keeper
Posts: 24865
174
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
One of the convenient things about Spring Boot is the "starters". They can pull in a whole raft of resources with a single dependency.

One of those resources, however, may be a vulnerable version of Log4J. Currently, only Log4j 2.17.0 is considered safe.

As far as I know, none of the Spring Boot starters has been updated for that, however, so if you want to avoid possibly being exploited, you need to explictly override the Log4j version in your (gradle or maven) build file.

For Maven, you can check by using the "mvn dependency:tree" command to list what's getting pulled in and what version it is. Or many IDEs will happily display the transitive dependencies.
 
Sheriff
Posts: 22575
122
Eclipse IDE Spring VI Editor Chrome Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:As far as I know, none of the Spring Boot starters has been updated for that, however, so if you want to avoid possibly being exploited, you need to explictly override the Log4j version in your (gradle or maven) build file.


Versions 2.5.8 and 2.6.2 have been released quite recently which (finally) bump the version from 2.14.x to 2.17.0.

However, as far as I know, none of the Spring Boot starters actually use Log4J 2 as logging implementation. There is spring-boot-starter-log4j, but that uses Log4J 1 (with its own vulnerabilities). The starter hasn't been updated since 2016, so it's not even compatible with Spring Boot 2.x.

spring-boot-starter-logging does include the Log4J 2 API, but not the implementation. This causes logging from any application or included library that uses the Log4J 2 API to be redirected to SLF4J (through log4j-to-slf4j) to Logback, which is the actual logging implementation. (The same goes for any logging using java.util.Logger thanks to jul-to-slf4j.) Since the API has not been vulnerable for Log4Shell, Spring Boot applications were only vulnerable if they included the Log4J 2 implementation, which does not happen out-of-the-box. That said, updating to version 2.5.8 or 2.6.2 is still suggested.

I think that setting property log4j2.version to 2.17.0 should also work, but I haven't tried it.
 
WHAT is your favorite color? Blue, no yellow, ahhhhhhh! Tiny ad:
Building a Better World in your Backyard by Paul Wheaton and Shawn Klassen-Koop
https://coderanch.com/wiki/718759/books/Building-World-Backyard-Paul-Wheaton
reply
    Bookmark Topic Watch Topic
  • New Topic