CVE-2021-44228 Fixing Log4J2 Vulnerability in Spring Boot
December 11, 2021
How to check my application is vulnerable?
For your application to be vulnerable
log4j-core has to be in your classpath.
The vulnerability is only present in
2.14.1 and earlier versions.
For Maven projects:
./mvnw dependency:list | grep log4j
./gradlew dependencies | grep log4j
Once you grep the console output, check whether log4j-core is present in your dependencies list.
You can ignore
log4j-api dependencies in your grep output as these two were included by the
spring-boot-starter-logging and cannot be exploited on their own.
Only applications that include
log4j-core and accept user input to format log messages are vulnerable.
If your application is vulnerable consider one of the following fixes.
- Upgrade log4j to 2.15.0 or newer
org.apache.logging.log4j.core.lookupJndiLookupclass from the classpath
- Switch to SLF4J