SpringBoot log4j 2.15.0 CVE-2021-44228

https://logging.apache.org/log4j/2.x/security.html

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228

Comment From: snicoll

Thanks for the PR but, as stated in the PR template, we don't accept dependency upgrades like this.

Comment From: jonathan-baker-disney

@snicoll - Is there a plan to resolve this CVE quickly, or will you just change the version with the next release? I know we can all override the property inside of our projects individually, but I am curious if Spring would release a quick patch just for this.

Comment From: snicoll

The CVE is not ours so I am not sure what you're asking us. Spring Boot is not affected by default, only users that are opting-in for log4j2 are. I don't think we would have released a new version but it turns out that we have a round of releases on 23 December that will include it.

Comment From: jonathan-baker-disney

@snicoll - Thank you for the quick reply. I know the CVE wasn't yours, but I thought since you included the compromised version that you might have been putting out a version of spring-boot with the fixed log4j. I did forget that logback was the default, so that makes sense that you aren't doing a quick fix. I just wanted to get a feel for when a spring-boot fix would be released. Thank you again.

Comment From: rsousa

As it can help others: https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot