As you may have seen in the news, a new zero-day exploit has been reported against the popular Log4J2 library which can allow an attacker to remotely execute code. The vulnerability has been reported with CVE-2021-44228 against the
log4j-core jar and has been fixed in Log4J v2.15.0.
Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The
log4j-api jars that we include in
spring-boot-starter-logging cannot be exploited on their own. Only applications using
log4j-core and including user input in log messages are vulnerable.
Our upcoming v2.5.8 & v2.6.2 releases (due Dec 23, 2021) will pickup Log4J v2.15.0, but since this is such a serious vulnerability you may want to override our dependency management and upgrade your Log4J2 dependency sooner.
For Maven users, you can follow these instructions and the set the
To check that the override as been applied run
./mvnw dependency:list | grep log4j and check that the version is 2.15.0.
For Gradle users, you can follow these instructions and update the version property, import the BOM or use a
For most users, setting the
log4j2.version property will be sufficient:
If you’re using Gradle’s platform support instead of our dependency management plugin then you can add a dependency to the Log4J BOM:
And if you can’t use either of those methods then you can declare a
Whichever method you choose, to check that the override has been applied you can run
./gradlew dependencyInsight --dependency log4j-core and look for version 2.15.0.
For users that can’t upgrade, another option is to set the
log4j2.formatMsgNoLookups system property to
true. For example, you can start your app using
java -Dlog4j2.formatMsgNoLookups=true -jar myapp.jar.