Upgrade to log4j 2.15.0 to address CVE-2021-44228

[sdarvell]

Could log4j be upgraded to 2.15.0 to address CVE-2021-44228?

adding below in pom.xml seems to do it

<dependencyManagement>
    <dependencies>
     ...
           <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-bom</artifactId>
             <version>2.15.0</version>
             <scope>import</scope>
             <type>pom</type>
        </dependency>
     ...
        <dependency>

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

[dropdeadfu]

yes please, i second that

[davideicardi]

I have tried to create a PR #316 . I'm not a Maven expert, but it looks like that just adding it inside dependencyManagement was not enough. So I just declared it explicitly. Feedbacks are welcome.

[patros-ki]

Hi. According to the latest updates on the log4j vulnerability, the version 2.15.0 upgrade is not sufficient anymore. The latest update required is to upgrade to version 2.16.0. Could log4j be upgraded to 2.16.0 please?

[davideicardi]

@patros-ki yes, the PR already uses version 2.16

[ababiec]

We will need an official release as IT is hounding us to replace any vulnerable instances of log4j.

[pulkitsethi]

@davideicardi I tried your first comment, with the <dependencyManagement>, but put in 2.16.0 and that worked for me. Not sure doing it explicitly on each dependency is need, as you did in #316.

Update after Line 49:

            <dependency>
                <groupId>org.apache.logging.log4j</groupId>
                <artifactId>log4j-bom</artifactId>
                <version>2.16.0</version>
                <scope>import</scope>
                <type>pom</type>
            </dependency>

After updating the <dependencyManagemenet>, I ran these two commands to see which version of log4j2 the project was using:

Running ./mvnw dependency:tree | grep -E 'log4j' shows all the versions to be 2.16.0.

[INFO] +- org.springframework.boot:spring-boot-starter-log4j2:jar:2.4.4:compile
[INFO] |  +- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.16.0:compile
[INFO] |  |  \- org.apache.logging.log4j:log4j-api:jar:2.16.0:compile
[INFO] |  +- org.apache.logging.log4j:log4j-core:jar:2.16.0:compile
[INFO] |  +- org.apache.logging.log4j:log4j-jul:jar:2.16.0:compile

Also tried ./mvnw dependency:list | grep log4j

[INFO]    org.springframework.boot:spring-boot-starter-log4j2:jar:2.4.4:compile
[INFO]    org.apache.logging.log4j:log4j-core:jar:2.16.0:compile
[INFO]    org.apache.logging.log4j:log4j-slf4j-impl:jar:2.16.0:compile
[INFO]    org.apache.logging.log4j:log4j-jul:jar:2.16.0:compile
[INFO]    org.apache.logging.log4j:log4j-api:jar:2.16.0:compile

Reference: https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

[patros-ki]

Will a new release be provided for this fix?

[davideicardi]

@pulkitsethi I have tried to just update dependencyManagement but looking at the classpath I continue to see old log4j version. I have also tried to to build the docker image and then get dependencies using syft. The only way that I have found to get correct version is explicitly declaring it.
But not an expert, so maybe I was doing something wrong...

[mih-kopylov]

Yeah, such a depedencyManagement works to override log4j version:

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.apache.logging.log4j</groupId>
                <artifactId>log4j-bom</artifactId>
                <version>2.16.0</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>

            <dependency>
                <!-- Import dependency management from Spring Boot -->
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-parent</artifactId>
                <version>${spring.boot.version}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

[davideicardi]

I confirm, now it seems to work. I just update my PR.
Thank you @mih-kopylov and @pulkitsethi

[mih-kopylov]

Looking forward to seeing the pr merged and a release cut

[patros-ki]

I confirm, now it seems to work. I just update my PR. Thank you @mih-kopylov and @pulkitsethi

Thanks @davideicardi. Well done! Any ideas when this fix will be packaged as an updated release?

[mcs]

I just created an own pull request where I updated most dependency versions and replaced the Spring Boot Starter Parent's usage as BOM by including it as a pom parent (which also updates plugins like maven-surefire-plugin and others). That makes it more standard with regards to Spring Initializr generated projects and by using newer library versions, we probably have less security issues with other dependencies as well.