Spring Mitigation for CVE-2021-44228

Is there mitigation for the log4j vulnerability?

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

It appears that spring is using org.apache.logging.log4j:log4j-api:2.13.3

+--- org.springframework.boot:spring-boot-starter-cache:2.4.11
|    +--- org.springframework.boot:spring-boot-starter:2.4.11
|    |    +--- org.springframework.boot:spring-boot:2.4.11
|    |    |    +--- org.springframework:spring-core:5.3.10 (*)
|    |    |    \--- org.springframework:spring-context:5.3.10 (*)
|    |    +--- org.springframework.boot:spring-boot-autoconfigure:2.4.11
|    |    |    \--- org.springframework.boot:spring-boot:2.4.11 (*)
|    |    +--- org.springframework.boot:spring-boot-starter-logging:2.4.11
|    |    |    +--- ch.qos.logback:logback-classic:1.2.6
|    |    |    |    +--- ch.qos.logback:logback-core:1.2.6
|    |    |    |    \--- org.slf4j:slf4j-api:1.7.32
|    |    |    +--- org.apache.logging.log4j:log4j-to-slf4j:2.13.3
|    |    |    |    +--- org.slf4j:slf4j-api:1.7.25 -> 1.7.32
|    |    |    |    \--- org.apache.logging.log4j:log4j-api:2.13.3
|    |    |    \--- org.slf4j:jul-to-slf4j:1.7.32
|    |    |         \--- org.slf4j:slf4j-api:1.7.32
|    |    +--- jakarta.annotation:jakarta.annotation-api:1.3.5
|    |    +--- org.springframework:spring-core:5.3.10 (*)
|    |    \--- org.yaml:snakeyaml:1.27
|    \--- org.springframework:spring-context-support:5.3.10 (*)

Comment From: bclozel

See https://github.com/spring-projects/spring-boot/issues/28978#issuecomment-990814359