Spring-boot-starter-log4j2 please support the latest version of log4j-2.15 0-rc1
Log4j-2.15 0-rc1 security vulnerability latest fixed version
Comment From: yochi2333
Now, Log4j-2.15 0-rc2 is the latest fixed version.
Comment From: ZeroZeroLi
wait online
Comment From: scottfrederick
Spring Boot will pick up the next Log4J release as part of the semi-automated dependency upgrade process. In the meantime, you can configure your build to use a version of your choice by setting the log4j2.version property in your build file as shown in the documentation.
Comment From: andotorg
waiting for Spring Boot will pick up the next Log4J release as part of the semi-automated dependency upgrade process; use log4j.version rebuild springboot project? im so sorry,It's too difficult for me to build a spring boot project。
Comment From: andotorg
Will spring officials consider rebuilding a version?
Comment From: snicoll
@andotorg We will upgrade to this newer version of log4j but this won't happen in a maintenance release so if you want to use this version now, overriding it in your application as described in the documentation is what you should be doing.
It's too difficult for me to build a spring boot project。
If we did the upgrade, you'd have to rebuild your application anyway.
Comment From: andotorg
I see, Thank you
Comment From: andotorg
log4j2 2.15.0 official version published
Comment From: nessex
To add some context, this is in response to the following RCE vulnerability:
https://www.lunasec.io/docs/blog/log4j-zero-day/
Comment From: snicoll
@Nessex thanks. We are aware of the CVE and the answers above still apply, there are a number of mitigations available in the link you've provided and upgrading your app is one of them. There's no need to wait for a Spring Boot release to do that.
Comment From: Artur-
Please note that the property mentioned above is wrong, at least for 2.5
Set
<log4j2.version>2.15.0</log4j2.version>
to upgrade the version
Comment From: snicoll
Thanks @Artur-, that is correct and I've edited the comment above. All dependency versions are available in the doc.
Comment From: bmulder-innoseis
@snicoll This is about log4j2. However, spring-boot-starter-logging uses log4j (without the 2) as a dependency of log4j-to-slf4j. There is no log4j dependency version in that doc you linked.
Comment From: snicoll
@bmulder-innoseis I am not sure what you're trying to report.
spring-boot-starter-logging uses log4j (without the 2) as a dependency of log4j-to-slf4j.
This isn't a log4j dependency but the adapter from Log4j2's API to SLF4J. The log4j2 starter is here and the way to configure Spring Boot to use it is documented here.
There is no log4j dependency version in that doc you linked.
I am aware. There is a log4j2 version though which is what this issue is all about.
If you have more questions, please ask them on StackOverflow.
Comment From: andotorg
@snicol这是关于 log4j 2。 但是,spring-boot-starter-logging 使用 log4j(没有 2)作为 log4j-to-slf4j 的依赖项。 您链接的该文档中没有 log4j 依赖项版本。
modify sample:
Add
Comment From: yochi2333
But maven repository doesn`t exsits the version 2.15.0 for log4j2.
Comment From: snicoll
Thanks everyone. Spring Boot does not use log4j2 by default and those of you who are opting-in for log4j2 can update to a version that fixes the problem.
Please review the documentation for Maven: if you are using our starter, or if you are importing our bom.
If you are using Gradle, see this section.
The name of the property is log4j2.version as documented.