spring-boot-starter-logging depends on vulnerable log4j version #28978
Comments
spring-projects-issues
added
the
status: waiting-for-triage
|
As I've already explained in the related issue, |
snicoll
added
status: invalid
This is incorrect. The log4j-to-slf4j module is part of Log4j2 and overriding the It's also worth reiterating that an application that depends on |
|
Thank you for your explanation, it is clear now. |
|
Hi, I use spring boot 2.2.6.RELEASE and iam facing the log4shell issue (this version of spring boot use log4j2 2.12.1). We declare the dependancies management as follow and the log4j2 2.15.0 dependency is explicitly declared in another internal import. But when check the dependancy tree I found the 2.12.1 log4j2 version. I think spring boot override my framework's log4j's version. How I can mange the dependancy properly (exclusion not work on import scope)? We have already tried to add log4j2.version properties but it seems to not take effect for import scope declared in dependencyManagement as recommended on the website https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot Thanks |
|
The property override will only work if you are using our parent pom. For imports, you should use Maven's Something like <dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.16.0</version>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>I'll try to update the blog post when I get time. |
|
The blog post you've referenced has a link to the instructions for Maven, this one specifically as you're not using the parent. Concretely this should be as follows: <dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.16.0</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<type>pom</type>
<version>2.2.6.RELEASE</version>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>The log4j dependency must be before our bom import (the link above explains that as well). |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
Hi, Ok i will check it. FYI, we use the 2.2.6.RELEASE version. Is it possible to create a 2.2.7.RELEASE with the 2.16.0 log4j version? I can do the PR but it my first time and im not sure that the pr will be validated to do the release? Thanks |
Spring Boot 2.2.x is out of OSS support for over 2 years. Please upgrade to at least 2.5.x at your earliest convenience. |
|
ok Thanks for your reply. |
Spring-boot-starter-logging indirectly depends on log4j version 2.14 through the log4j-to-slf4j adapter dependency.
this version of log4j has been the subject of a zero-day vulnerability as explained here: https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html
This means that all projects that use spring boot could be subject to that same zero-day whenever log4j code is actually executed directly or indirectly.
A related ticket has been opened here: #28958, but that one is talking about the optional log4j2 instead, which can optionally be updated through the
log4j2.versionvariable. But this is about log4j without the 2, which by default is included in spring boot starters in maven.The text was updated successfully, but these errors were encountered: