As you may have seen in the news, a new zero-day exploit has been reported against the popular Log4J2 library which can allow an attacker to remotely execute code. The vulnerability has been reported with CVE-2021-44228 against the log4j-core jar and has been fixed in Log4J v2.15.0.

Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.

Our upcoming v2.5.8 & v2.6.2 releases (due Dec 23, 2021) will pickup Log4J v2.15.0, but since this is such a serious vulnerability you may want to override our dependency management and upgrade your Log4J2 dependency sooner.

Maven

For Maven users, you can follow these instructions and the set the log4j2.version property.

For example:

1
2
3
<properties>
    <log4j2.version>2.15.0</log4j2.version>
</properties>

To check that the override as been applied run ./mvnw dependency:list | grep log4j and check that the version is 2.15.0.

Gradle

For Gradle users, you can follow these instructions and update the version property, import the BOM or use aresolutionStrategy.

For most users, setting the log4j2.version property will be sufficient:

1
ext['log4j2.version'] = '2.15.0'

If you’re using Gradle’s platform support instead of our dependency management plugin then you can add a dependency to the Log4J BOM:

1
implementation(platform("org.apache.logging.log4j:log4j-bom:2.15.0"))

And if you can’t use either of those methods then you can declare a resolutionStrategy:

1
2
3
4
5
6
7
configurations.all {
	resolutionStrategy.eachDependency { DependencyResolveDetails details ->
		if (details.requested.group == 'org.apache.logging.log4j') {
			details.useVersion '2.15.0'
		}
	}
}

Whichever method you choose, to check that the override has been applied you can run ./gradlew dependencyInsight --dependency log4j-core and look for version 2.15.0.

Other Options

For users that can’t upgrade, another option is to set thelog4j2.formatMsgNoLookups system property to true. For example, you can start your app using java -Dlog4j2.formatMsgNoLookups=true -jar myapp.jar.

Reference https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot