if I understand correctly log4j is automatically used when used in a spring boot project (at least I found it in mine even without asking for it).
Since Log4J released a new 2.17.0 version with fixes for CVE-2021-45046 and CVE-2021-45105 it would be great if you could quickly release an update version that just fixes the dependencies in order to fix our apps in a short time.
Comment From: bclozel
As mentioned in our issue template:
- Managed Dependency Upgrade You DO NOT need to raise an issue for a managed dependency version upgrade as there's a semi-automatic process for checking managed dependencies for new versions before a release. BUT pull requests for upgrades that are more involved than just a version property change are still most welcome.
This is already covered by #28984 (and related issues) as well as our dedicated blog post. This will be released on December 23rd.
Comment From: snicoll
if I understand correctly log4j is automatically used when used in a spring boot project (at least I found it in mine even without asking for it).
That is inaccurate. Spring Boot uses logback by default. The dedicated blog post cover also that using log4j-api and the slf4j bridge (which we provide by convenience) does not trigger any of those vulnerabilities. If you've not opt-in for log4j2, your app is not vulnerable.
Comment From: Polve
But since even logback is vulnerable my app is vulnerable anyway. Also, I verified it and the vulnerability is even quite easy to exploit.
So my request was to understand if it was possible to have a very fast turnaround for a new release with upgraded deps.
Comment From: snicoll
You don't need and you shouldn't need to wait for a release to upgrade your use of Logback or Log4J2. The blog post has already all the information that you're asking.
Comment From: Polve
Right, but since I couldn't find any mention on how to upgrade logback I (wrongly) assumed I couldn't use a similar approach to force the dependency. Then I tried to set the property logback.version and it worked. Thanks