Skip to main content

How to resolve Log4j CVE-2021-44228 in Spring Boot

 As you may know, Log4j released a patch (actually a couple of patches) recently for a vulnerability [CVE-2021-44228] that was identified in their library. Since a lot of Spring boot applications are out there using Log4j 2.x series. It is better to fix them as soon as possible. 

Also, this article is considering you are using Maven for dependency management.

Fixing this in the Spring boot applications is easy. It is just adding a version property for the pom.xml. 

As of this date of writing, the latest updated Log4J version is 2.17.1. So the fix is to update the version property with this.


<properties>
    <log4j2.version>2.17.1</log4j2.version>
    <log4j.version>2.17.1</log4j.version>
</properties>

If you are using BOM, instead of spring boot parent dependency, update it as follows.

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-bom</artifactId>
            <version>2.17.1</version>
            <scope>import</scope>
            <type>pom</type>
        </dependency>
        ...
    </dependencies>
</dependencyManagement>


Is this enough?

Mostly yes, but maybe Not entirely.

We may be out of the woods since you might have fixed the log4j that is being used within your application code, but what if you have used some other library that is still using the log4j vulnerable version? The best way to find out if you are still using a vulnerable version is to check the dependency tree. 

mvn dependency:tree

Since the dependency tree could be quite long and hard to pinpoint the packages, I have used the following trick to identify such dependencies within dependencies.

First, grep the log4j out of the dependency tree

mvn dependency:tree | grep log4j

This will give an output like below.

[INFO] | \- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile
[INFO] | +- log4j:log4j:jar:2.8.2:compile

Notice that,  have the proper log4j 2.17 version but still some library is apparently using an older version of log4j. Since it could also be vulnerable we have to exclude this from the parent package. 

To find the parent package, we can use the below command.

mvn dependency:tree -Dincludes=log4j

[INFO] com.mycompany.myproject.component1:component1:jar:4.4.0-SNAPSHOT
[INFO] \- com.mycompany.myproject.componentxyz:componentxyz:jar:10.1.15-RELEASE:compile
[INFO]    \- log4j:log4j:jar:2.8.2:compile

So, the above output shows the parent packages for the log4j dependency we found earlier.
Notice that, my project is the myproject.component1, and I'm having a dependency within my pom file as below.

        <dependency>
            <groupId>com.mycompany.myproject</groupId>
            <artifactId>componentxyz</artifactId>
            <version>10.1.15-RELEASE</version>
        </dependency>

Within that, there is a reference for the log4j older version. To fix that, we have to exclude it as below.


        <dependency>
            <groupId>com.mycompany.myproject</groupId>
            <artifactId>componentxyz</artifactId>
            <version>10.1.15-RELEASE</version>
            <exclusions>
                <exclusion>
                    <groupId>log4j</groupId>
                    <artifactId>log4j</artifactId>
                </exclusion>
            </exclusions>
        </dependency>


Check the dependency tree repetitively like this to make sure you're absolutely free of vulnerable dependencies.


P.S.
If your project is getting run time errors after excluding log4j older versions, it could probably be because you excluded a dependency of log4j1.x series. The interfaces are quite different for log4j1.x and log4j2.x. If it is a stable Log4j1.x version without any vulnerabilities, you can just leave it because the above issues are not impacted to the log4j 1.x series. 

If you really wanna upgrade that to log4j 2.17.1 then;
If you own the code of this, you will have to update the source code of this dependency to make sure it is using the latest log4j version. 
If you don't own it, probably you'll have to reach out to the guys who are developing this for a patch version. There's a good chance they have already updated and released one with a patch.

References:
https://logging.apache.org/log4j/2.x/security.html
https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot


Log4j




Comments

Popular posts from this blog

VLC skins

It's been a while from my first blog post, so today I thought to make a blog post about skins in VLC player. I think you all are familiar with VLC player if not, here's the link for the website www.videolan.org/vlc/index.htm l In brief, VLC player is a free and opensource player that can play almost all the types of media formats. Even though it is a such a nice player, it looks kind of old and rusty, like the windows classic look. But you can make it prettier by just adding some new skins to it.  You can download skins for the player from here http://www.videolan.org/vlc/skins.php Then place the downloaded skin file (.vlt file) in the " skin " folder in the installation directory.           eg:- in windows:    C:\Program Files\VideoLAN\VLC\skins           or in linux systems:  ~/.local/share/vlc/skins Then, open the VLC player and go to the preferences. ...

Java, how to create a list with a single element

 I wanted to create a Java List with a single element. Yet, I wanted to add more elements later. So, I was looking for a couple of ways to do this. So far there are multiple elegant ways to create a list with a single element with a one-liner. Not so much for a modifiable list though. Here's what I gathered so far. Followings are a few ways of creating a list with strictly a single entry. Can't add more elements. 1. Collections.singletonList() This returns an immutable list that cannot be modified or add more elements. // An immutable list containing only the specified object. List<String> oneEntryList = Collections. singletonList ( "one" ) ; oneEntryList.add( "two" ) ; // throws UnsupportedOperationException 2.  Arrays.asList() This returns a fixed-size list consisting of the number of elements provided as arguments. The number of elements provided would be an array hence the size is fixed to the length of the array. // Returns a fixed-size list List...

Find command: How to find and delete 0 bytes files in Linux

In Linux, "find" command is a powerful command that we can use not only to find files. I've used it for different requirements, so thought of posting some of the convenient usages of find commands in a series of posts. For some application issue, I've got one of my directories in Ubuntu system swarmed with empty files with 0 bytes. Some of the files got data in them but some of them were empty. I just wanted to delete the empty files and it wasn't possible to identify them by file names or dates. So find command comes to rescue. find . -size 0 -type f  If I needed to isolate the files by file extension, we can use something like this. find . -size 0 -type f -name "*.tar" You can get the file count by piping it to wc command. find . -size 0 -type f -name "*.tar" | wc -l The awesome thing about the find command is you can use it for deleting files just by adding the -delete flag to the command. find . -size 0 -type f -name "*.tar" -dele...