securitygradlelogginglog4jspring-boot-starter

How to fix log4j vulnerability


I heard Log4j core is vulnerable according to https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

So I need a fix to get rid of vulnerabilities from my services!

I am trying to bump up log4j from older versions to 2.15.0

I can manually upgrade the dependencies but the problem is I don't know, is there any dependency that is downloading the log4j older version or not!

So I want some solution that will just upgrade the log4j dependency in my projects either they are direct or transitive :)


Solution

  • [UPDATE] Log4j rolled out a new version 2.17.0 with some more security fixes and recommended using 2.17.0 in systems :)

    [UPDATE] Log4j released one more build which is 2.16.0 with one more security fix!


    I found the dirty fix!

    Just add the following code block in your build.gradle and this will upgrade your log4j libs to 2.16.0

    regardless of the dependency is direct or transitive

    configurations.all {
        resolutionStrategy.eachDependency { DependencyResolveDetails details ->
            if (details.requested.group == 'org.apache.logging.log4j') {
                details.useVersion '2.17.0'
            }
        }
    }