Search...
FAQs Subscribe
Pie
FAQs
Recent topics Flagged topics Hot topics Best topics
Search...
Search within Spring Search Coderanch
Advance search Google search
Register / Login
advertise on coderanch polymorphism book review grid granny thread boost
Win a copy of Experimentation for Engineers: From A/B testing to Bayesian optimization this week in the Design forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
book review grid building better world book advertise on coderanch thread boost meaningless drivel
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Tim Cooke
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • Junilu Lacar
  • Rob Spoor
  • Jeanne Boyarsky
Saloon Keepers:
  • Stephan van Hulst
  • Carey Brown
  • Tim Holloway
  • Piet Souris
Bartenders:

IMPORTANT - Spring Boot and the Log4j exploit

 
Tim Holloway
Saloon Keeper
Posts: 26768
190
I like...
Android Eclipse IDE Tomcat Server Redhat Java Linux
posted 1 year ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator
One of the convenient things about Spring Boot is the "starters". They can pull in a whole raft of resources with a single dependency.

One of those resources, however, may be a vulnerable version of Log4J. Currently, only Log4j 2.17.0 is considered safe.

As far as I know, none of the Spring Boot starters has been updated for that, however, so if you want to avoid possibly being exploited, you need to explictly override the Log4j version in your (gradle or maven) build file.

For Maven, you can check by using the "mvn dependency:tree" command to list what's getting pulled in and what version it is. Or many IDEs will happily display the transitive dependencies.

I'm going to be a "small government" candidate. I'll be the government. Just me. No one else.

 
Rob Spoor
Sheriff
Posts: 22730
129
I like...
Eclipse IDE Spring VI Editor Chrome Java Windows
posted 1 year ago
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
    Send
  • Quote
  • Report post to moderator

Tim Holloway wrote:As far as I know, none of the Spring Boot starters has been updated for that, however, so if you want to avoid possibly being exploited, you need to explictly override the Log4j version in your (gradle or maven) build file.


Versions 2.5.8 and 2.6.2 have been released quite recently which (finally) bump the version from 2.14.x to 2.17.0.

However, as far as I know, none of the Spring Boot starters actually use Log4J 2 as logging implementation. There is spring-boot-starter-log4j, but that uses Log4J 1 (with its own vulnerabilities). The starter hasn't been updated since 2016, so it's not even compatible with Spring Boot 2.x.

spring-boot-starter-logging does include the Log4J 2 API, but not the implementation. This causes logging from any application or included library that uses the Log4J 2 API to be redirected to SLF4J (through log4j-to-slf4j) to Logback, which is the actual logging implementation. (The same goes for any logging using java.util.Logger thanks to jul-to-slf4j.) Since the API has not been vulnerable for Log4Shell, Spring Boot applications were only vulnerable if they included the Log4J 2 implementation, which does not happen out-of-the-box. That said, updating to version 2.5.8 or 2.6.2 is still suggested.

I think that setting property log4j2.version to 2.17.0 should also work, but I haven't tried it.

SCJP 1.4 - SCJP 6 - SCWCD 5 - OCEEJBD 6 - OCEJPAD 6
How To Ask Questions How To Answer Questions

 
Can you really tell me that we aren't dealing with suspicious baked goods? And then there is this tiny ad:
The Low Tech Laboratory Movie Kickstarter is LIVE NOW!
https://www.kickstarter.com/projects/paulwheaton/low-tech
reply
reply
    Bookmark Topic Watch Topic
  • New Topic
Boost this thread!
Similar Threads
More...