Skip to main content

How to resolve Log4j CVE-2021-44228 in Spring Boot

 As you may know, Log4j released a patch (actually a couple of patches) recently for a vulnerability [CVE-2021-44228] that was identified in their library. Since a lot of Spring boot applications are out there using Log4j 2.x series. It is better to fix them as soon as possible. 

Also, this article is considering you are using Maven for dependency management.

Fixing this in the Spring boot applications is easy. It is just adding a version property for the pom.xml. 

As of this date of writing, the latest updated Log4J version is 2.17.1. So the fix is to update the version property with this.


<properties>
    <log4j2.version>2.17.1</log4j2.version>
    <log4j.version>2.17.1</log4j.version>
</properties>

If you are using BOM, instead of spring boot parent dependency, update it as follows.

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>org.apache.logging.log4j</groupId>
            <artifactId>log4j-bom</artifactId>
            <version>2.17.1</version>
            <scope>import</scope>
            <type>pom</type>
        </dependency>
        ...
    </dependencies>
</dependencyManagement>


Is this enough?

Mostly yes, but maybe Not entirely.

We may be out of the woods since you might have fixed the log4j that is being used within your application code, but what if you have used some other library that is still using the log4j vulnerable version? The best way to find out if you are still using a vulnerable version is to check the dependency tree. 

mvn dependency:tree

Since the dependency tree could be quite long and hard to pinpoint the packages, I have used the following trick to identify such dependencies within dependencies.

First, grep the log4j out of the dependency tree

mvn dependency:tree | grep log4j

This will give an output like below.

[INFO] | \- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile
[INFO] | +- log4j:log4j:jar:2.8.2:compile

Notice that,  have the proper log4j 2.17 version but still some library is apparently using an older version of log4j. Since it could also be vulnerable we have to exclude this from the parent package. 

To find the parent package, we can use the below command.

mvn dependency:tree -Dincludes=log4j

[INFO] com.mycompany.myproject.component1:component1:jar:4.4.0-SNAPSHOT
[INFO] \- com.mycompany.myproject.componentxyz:componentxyz:jar:10.1.15-RELEASE:compile
[INFO]    \- log4j:log4j:jar:2.8.2:compile

So, the above output shows the parent packages for the log4j dependency we found earlier.
Notice that, my project is the myproject.component1, and I'm having a dependency within my pom file as below.

        <dependency>
            <groupId>com.mycompany.myproject</groupId>
            <artifactId>componentxyz</artifactId>
            <version>10.1.15-RELEASE</version>
        </dependency>

Within that, there is a reference for the log4j older version. To fix that, we have to exclude it as below.


        <dependency>
            <groupId>com.mycompany.myproject</groupId>
            <artifactId>componentxyz</artifactId>
            <version>10.1.15-RELEASE</version>
            <exclusions>
                <exclusion>
                    <groupId>log4j</groupId>
                    <artifactId>log4j</artifactId>
                </exclusion>
            </exclusions>
        </dependency>


Check the dependency tree repetitively like this to make sure you're absolutely free of vulnerable dependencies.


P.S.
If your project is getting run time errors after excluding log4j older versions, it could probably be because you excluded a dependency of log4j1.x series. The interfaces are quite different for log4j1.x and log4j2.x. If it is a stable Log4j1.x version without any vulnerabilities, you can just leave it because the above issues are not impacted to the log4j 1.x series. 

If you really wanna upgrade that to log4j 2.17.1 then;
If you own the code of this, you will have to update the source code of this dependency to make sure it is using the latest log4j version. 
If you don't own it, probably you'll have to reach out to the guys who are developing this for a patch version. There's a good chance they have already updated and released one with a patch.

References:
https://logging.apache.org/log4j/2.x/security.html
https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot


Log4j




Labels:

Comments

Post a Comment

Popular posts from this blog

Install Docker on Windows 11 with WSL Ubuntu 22.04

This is to install Docker within Ubuntu WSL without using the Windows Docker application. Follow the below steps. Install Ubuntu 22.04 WSL 1. Enable Windows Subsystem for Linux and Virtual Machine platform Go to Control Panel -> Programs -> Programs and Features -> Turn Windows features on or off 2. Switch to WSL 2 Open Powershell and type in the below command. wsl --set-default-version 2 If you don't have WSL 2, download the latest WSL 2 package and install it.  3. Install Ubuntu Open Microsoft Store and search for Ubuntu. Select the version you intend to install. I'd use the latest LTS version Ubuntu 22.04. Click on the Get button. It will take a couple of minutes to download and install. 4. Open up the installed Ubuntu version that was installed. If you get an error like the below image, make sure to install the WSL2 Kernel update .  If it's an older Ubuntu version the error message would be something like the image below. Error: WSL 2 requires an update to its
1 comment
Read more

How to fix SSLHandshakeException PKIX path building failed in Java

TL ; DR 1. Extract the public certificate of the website/API that you are trying to connect from your Java application. Steps are mentioned in this post 2. Use the Java keytool to install the extracted certificate into the "cacerts" file (Trust store) keytool -import -trustcacerts -alias <domain name> -file <public certificate>.cert -keystore /path_to_java_home/jre/lib/security/cacerts -storepass changeit 3. Restart your Java application Exception A typical exception stack trace would look like below. javax.net.ssl. SSLHandshakeException : sun.security.validator.ValidatorException: PKIX path building failed : sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshake
Post a Comment
Read more

Automatically open Chrome developer tools in a new tab

Sometimes we need to check the console or the network transactions of a link that opens up in a new tab. By default, the Chrome developer tools are not opening in a new tab. So, by the time when we hit F12 and open the dev tools, part of the information we needed could be already gone.  There's a setting in dev tools where you can keep the dev tools open automatically in a new tab. To enable that, hit F12 and open up the dev tools. Click on the settings icon in the top right corner. In the Preferences section, scroll down to the bottom. You'll be able to find the option to Auto-open DevTools for popups. Select the checkbox and we're good to go!
Post a Comment
Read more