I heard Log4j
core is vulnerable according to https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
So I need a fix to get rid of vulnerabilities from my services!
I am trying to bump up log4j from older versions to 2.15.0
I can manually upgrade the dependencies but the problem is I don't know, is there any dependency that is downloading the log4j older version or not!
So I want some solution that will just upgrade the log4j dependency in my projects either they are direct or transitive :)
[UPDATE] Log4j rolled out a new version 2.17.0
with some more security fixes and recommended using 2.17.0
in systems :)
[UPDATE]
Log4j released one more build which is 2.16.0
with one more security fix!
I found the dirty fix!
Just add the following code block in your build.gradle and this will upgrade your log4j libs to 2.16.0
regardless of the dependency is direct or transitive
configurations.all {
resolutionStrategy.eachDependency { DependencyResolveDetails details ->
if (details.requested.group == 'org.apache.logging.log4j') {
details.useVersion '2.17.0'
}
}
}