Home > Spring > Spring Boot > CVE-2021-44228 Spring Boot and Log4j2 Vulnerability

CVE-2021-44228 Spring Boot and Log4j2 Vulnerability

What is CVE-2021-44228?

CVE-2021-44228 is a vulnerability impacting all the applications written in Java and using the component Apache Log4j2 for logging. This vulnerability allows the unauthenticated remote code execution using the JNDI Lookup. Log4j2 is widely used directly or through dependencies in almost every Java application. These application includes almost all the enterprise level application and almost all the cloud based application.

Recommendation By Spring Boot

The vulnerability has been reported against Apache log4j2-core.jar and has been fixed in log4j2 v2.17.1 jar, which was released on 09 Dec 2021. According to Spring boot official blog Spring Boot users who are using log4j2-core instead of spring-boot-starter-logging are only affected by this vulnerability. The log4j-to-slf4j and log4j-api jars which Spring Boot spring-boot-starter-logging includes cannot be exploited on their own.

Spring boot official blog also states that in their Dec 23, 2021 release they will use log4j2 v2.17.1. But since this is a high profile vulnerability the log4j2 version should be upgraded as soon as possible.

How to check the log4j2 dependencies in maven and gradle project

Maven:

./mvnw dependency:list | grep log4j

Gradle:

./gradlew dependencyInsight --dependency log4j-core

If using log4j2 core then change the below line to upgrade to v2.17.1

Maven:

<properties>
    <log4j2.version>2.17.1</log4j2.version>
</properties>

Gradle:

If using gradle dependecy management plugin

ext['log4j2.version'] = '2.17.1'

If using gradle platform support

implementation(platform("org.apache.logging.log4j:log4j-bom:2.17.1"))

If not using any of the above, you can declare using the resolutionStrategy

configurations.all {
	resolutionStrategy.eachDependency { DependencyResolveDetails details ->
		if (details.requested.group == 'org.apache.logging.log4j') {
			details.useVersion '2.17.1'
		}
	}
}

Using JVM Arguments

For all other application user’s, if they cannot upgrade to the latest version, it is recommended to use the JVM arguments to set the log4j2.formatMsgNoLookups system value to true, -Dlog4j2.formatMsgNoLookups=true. Like the way it is done in the below command.

java -Dlog4j2.formatMsgNoLookups=true -jar test-app.jar