As you may have seen in the news, a new zero-day exploit has been reported against the popular Log4J2 library which can allow an attacker to remotely execute code. The vulnerability has been reported with CVE-2021-44228 against the log4j-core
jar and has been fixed in Log4J v2.15.0.
Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j
and log4j-api
jars that we include in spring-boot-starter-logging
cannot be exploited on their own. Only applications using log4j-core
and including user input in log messages are vulnerable.
Our upcoming v2.5.8 & v2.6.2 releases (due Dec 23, 2021) will pickup Log4J v2.15.0, but since this is such a serious vulnerability you may want to override our dependency management and upgrade your Log4J2 dependency sooner.
Maven
For Maven users, you can follow these instructions and the set the log4j2.version
property.
For example:
<properties>
<log4j2.version>2.15.0</log4j2.version>
</properties>
To check that the override as been applied run ./mvnw dependency:list | grep log4j
and check that the version is 2.15.0.
Gradle
For Gradle users, you can follow these instructions and update the version property, import the BOM or use aresolutionStrategy
.
For most users, setting the log4j2.version
property will be sufficient:
ext['log4j2.version'] = '2.15.0'
If you’re using Gradle’s platform support instead of our dependency management plugin then you can add a dependency to the Log4J BOM:
implementation(platform("org.apache.logging.log4j:log4j-bom:2.15.0"))
And if you can’t use either of those methods then you can declare a resolutionStrategy
:
configurations.all {
resolutionStrategy.eachDependency { DependencyResolveDetails details ->
if (details.requested.group == 'org.apache.logging.log4j') {
details.useVersion '2.15.0'
}
}
}
Whichever method you choose, to check that the override has been applied you can run ./gradlew dependencyInsight --dependency log4j-core
and look for version 2.15.0.
Other Options
For users that can’t upgrade, another option is to set thelog4j2.formatMsgNoLookups
system property to true
. For example, you can start your app using java -Dlog4j2.formatMsgNoLookups=true -jar myapp.jar
.
转自 https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot