Patch known Log4J RCE security vulnerability #28981
Labels
status: duplicate
A duplicate of another issue
Comments
spring-projects-issues
added
the
status: waiting-for-triage
wilkinsona
added
status: duplicate
|
Ah, apologies, I see now that I only searched in open issues before I created this one, not also in closed issues. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
See https://www.lunasec.io/docs/blog/log4j-zero-day/ and https://www.randori.com/blog/cve-2021-44228/.
Brief summary: a Remote Code Execution vulnerability was discovered yesterday in Log4J between versions 2.0 and 2.14.1 inclusive.
This vulnerability was patched in the most recent release, 2.15.0.
I see that the Spring Boot Logging Starter has a dependency to
org.apache.logging.log4j:log4j-to-slf4j, at version2.14.1, a vulnerable version.From what I can tell,
log4j-to-slf4jis the only artifact of the grouporg.apache.logging.log4jto which Spring Boot has any dependency. I am unsure whether this artifact alone exposes this vulnerability, or if only thelog4j-coreartifact is vulnerable.Raising this issue as a "better safe than sorry" measure, to discern if Spring is left vulnerable here, and patch to most recent version if so.
The text was updated successfully, but these errors were encountered: