Comment From: jdelobel
Hi,
I use spring boot 2.2.6.RELEASE and iam facing the log4shell issue (this version of spring boot use log4j2 2.12.1). Actually lot of projects depends on our framework based on spring boot
We declare the dependancies management as follow
```
and the log4j2 2.15.0 dependency is explicitly declared in another internal import.
But when check the dependancy tree
I found the 2.12.1 log4j2 version. I think spring boot override my framework's log4j's version.
How I can mange the dependancy properly (exclusion not work on import scope)?
We have already tried to add log4j2.version properties but it seems to not take effect for import scope declared in dependencyManagement as recommended on the website https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
Here an extract to explain the wrong dependancy (2.12.1 instead of 2.15.0)
[INFO] | +- (my-internal-artifact:jar:6.16.1:compile - omitted for duplicate) [INFO] | +- org.apache.logging.log4j:log4j-api:jar:2.12.1:compile (version managed from 2.15.0) [INFO] | +- org.apache.logging.log4j:log4j-core:jar:2.12.1:compile (version managed from 2.15.0) [INFO] | | - (org.apache.logging.log4j:log4j-api:jar:2.12.1:compile - version managed from 2.15.0; omitted for duplicate) [INFO] | - org.apache.logging.log4j:log4j-slf4j-impl:jar:2.12.1:compile (version managed from 2.15.0) [INFO] | +- (org.slf4j:slf4j-api:jar:1.7.30:compile - version managed from 1.7.25; omitted for duplicate) [INFO] | +- (org.apache.logging.log4j:log4j-api:jar:2.12.1:compile - version managed from 2.15.0; omitted for duplicate) [INFO] | - (org.apache.logging.log4j:log4j-core:jar:2.12.1:runtime - version managed from 2.15.0; omitted for duplicate)
Thanks Julien
Comment From: snicoll
Reopening to upgrade to 2.17.0 per CVE-2021-45105.
Comment From: ThomHurks
Will you also update the log4j-core version in spring-boot/buildSrc/build.gradle?
Comment From: snicoll
@ThomHurks thanks for the nudge. The upgrade was done this morning with a lack of coffee so I forgot to update it there. That's done now.
Comment From: ThomHurks
Thanks! 😊