CVE-2021-44228 Fixing Log4J2 Vulnerability in Spring Boot
December 11, 2021
How to check my application is vulnerable?
For your application to be vulnerable log4j-core has to be in your classpath.
The vulnerability is only present in log4j-core 2.14.1 and earlier versions.
For Maven projects:
./mvnw dependency:list | grep log4j
For Gradle:
./gradlew dependencies | grep log4j
Once you grep the console output, check whether log4j-core is present in your dependencies list. 
You can ignore log4j-to-slf4j and log4j-api dependencies in your grep output as these two were included by the spring-boot-starter-logging and cannot be exploited on their own. 
Only applications that include log4j-core and accept user input to format log messages are vulnerable.
Fixes
If your application is vulnerable consider one of the following fixes.
- Upgrade log4j to 2.15.0 or newer
- Remove org.apache.logging.log4j.core.lookupJndiLookupclass from the classpath
- Switch to SLF4J