Spring-boot-starter-logging indirectly depends on log4j version 2.14 through the log4j-to-slf4j adapter dependency.
this version of log4j has been the subject of a zero-day vulnerability as explained here: https://www.cyberkendra.com/2021/12/worst-log4j-rce-zeroday-dropped-on.html
This means that all projects that use spring boot could be subject to that same zero-day whenever log4j code is actually executed directly or indirectly.
A related ticket has been opened here: #28958, but that one is talking about the optional log4j2 instead, which can optionally be updated through the log4j2.version variable. But this is about log4j without the 2, which by default is included in spring boot starters in maven.
Comment From: snicoll
As I've already explained in the related issue, log4j-to-slf4j is an adapter between the log4j API and slf4j. It brings indeed log4j-apibut does not bring log4j-core so our starter is not affected by this vulnerability.
Comment From: wilkinsona
But this is about log4j without the 2, which by default is included in spring boot starters in maven.
This is incorrect. The log4j-to-slf4j module is part of Log4j2 and overriding the log4j2.version property will affect the version of log4j-to-slf4j that spring-boot-starter-logging uses.
It's also worth reiterating that an application that depends on log4j-to-slf4j (which is used to route logging made using the Log4j2 API into a logging system other than Log4j2) is not vulnerable. To be vulnerable, you have to be using log4j-core and including user input in log messages.
Comment From: bmulder-innoseis
Thank you for your explanation, it is clear now.
Comment From: jdelobel
Hi,
I use spring boot 2.2.6.RELEASE and iam facing the log4shell issue (this version of spring boot use log4j2 2.12.1). Actually lot of projects depends on our framework based on spring boot
We declare the dependancies management as follow
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<type>pom</type>
<version>2.2.6.RELEASE</version>
<scope>import</scope>
</dependency>
````
and the log4j2 2.15.0 dependency is explicitly declared in another internal import.
But when check the dependancy tree
I found the 2.12.1 log4j2 version. I think spring boot override my framework's log4j's version.
How I can mange the dependancy properly (exclusion not work on import scope)?
We have already tried to add *log4j2.version* properties but it seems to not take effect for import scope declared in *dependencyManagement* as recommended on the website https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
Thanks
Julien
**Comment From: philwebb**
@jdelobel
The property override will only work if you are using our parent pom. For imports, you should use Maven's `<dependencyManagement>` tag.
Something like
```xml
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.16.0</version>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
I'll try to update the blog post when I get time.
Comment From: snicoll
The blog post you've referenced has a link to the instructions for Maven, this one specifically as you're not using the parent. Concretely this should be as follows:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.16.0</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<type>pom</type>
<version>2.2.6.RELEASE</version>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
The log4j dependency must be before our bom import (the link above explains that as well).
Comment From: jdelobel
Hi,
Ihave added the log4j bom
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<type>pom</type>
<version>2.2.6.RELEASE</version>
<scope>import</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.16.0</version>
<scope>import</scope>
</dependency>
but i still have the same problem (same result if log4j bom dependency is before):
[INFO] +- my-internal-dependencies:jar:6.16.1:compile
[INFO] | +- org.apache.logging.log4j:log4j-api:jar:2.12.1:compile
[INFO] | +- org.apache.logging.log4j:log4j-core:jar:2.12.1:compile
[INFO] | \- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.12.1:compile
Comment From: snicoll
The log4j dependency must be before our bom import (the link above explains that as well).
Comment From: jdelobel
Hi As mentionned above the dependency above has the same result
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.16.0</version>
<scope>import</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<type>pom</type>
<version>2.2.6.RELEASE</version>
<scope>import</scope>
</dependency>
[INFO] +- my-internal-dependencies:jar:6.16.1:compile
[INFO] | +- org.apache.logging.log4j:log4j-api:jar:2.12.1:compile
[INFO] | +- org.apache.logging.log4j:log4j-core:jar:2.12.1:compile
[INFO] | \- org.apache.logging.log4j:log4j-slf4j-impl:jar:2.12.1:compile
NOTE: in your offical docs. The dependency is after https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
Comment From: snicoll
That's not the official docs but a blog post that I've just fixed (thanks for letting us know). The official doc is the link I gave you, that is https://docs.spring.io/spring-boot/docs/current/maven-plugin/reference/htmlsingle/#using.import.
I think this has run its course now. If you're looking for support using Maven, please ask a question on StackOverflow. You'll have to attach a small sample that reproduces the problem you are experiencing as something else you're not showing is causing the wrong version to be picked up.
Comment From: jdelobel
Hi,
Ok i will check it.
FYI, we use the 2.2.6.RELEASE version. Is it possible to create a 2.2.7.RELEASE with the 2.16.0 log4j version? I can do the PR but it my first time and im not sure that the pr will be validated to do the release?
Thanks
Comment From: snicoll
Is it possible to create a 2.2.7.RELEASE with the 2.16.0 log4j version?
Spring Boot 2.2.x is out of OSS support for over 2 years. Please upgrade to at least 2.5.x at your earliest convenience.
Comment From: jdelobel
ok Thanks for your reply.