How to fix log4j vulnerability

Question

I heard Log4j core is vulnerable according to https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

So I need a fix to get rid of vulnerabilities from my services!

I am trying to bump up log4j from older versions to 2.15.0

I can manually upgrade the dependencies but the problem is I don't know, is there any dependency that is downloading the log4j older version or not!

So I want some solution that will just upgrade the log4j dependency in my projects either they are direct or transitive :)

You can update log4j core dependency/jar with newer version. [log4j core 15](https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.15.0) or [log4j core 16](https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.16.0) — I AM GROOT, Dec 15 '21 at 13:16

Dupinder Singh · Accepted Answer · 2021-12-20T07:49:22.597

0

[UPDATE] Log4j rolled out a new version 2.17.0 with some more security fixes and recommended using 2.17.0 in systems :)

[UPDATE] Log4j released one more build which is 2.16.0 with one more security fix!

I found the dirty fix!

Just add the following code block in your build.gradle and this will upgrade your log4j libs to 2.16.0

regardless of the dependency is direct or transitive

configurations.all {
    resolutionStrategy.eachDependency { DependencyResolveDetails details ->
        if (details.requested.group == 'org.apache.logging.log4j') {
            details.useVersion '2.17.0'
        }
    }
}

edited Dec 20 '21 at 07:49

answered Dec 11 '21 at 18:20

Dupinder Singh

7,175
6
37
61

2

Why do the first two "normal" solutions not work? – luk2302 Dec 11 '21 at 18:24
I wanted a quick solution without bothering with my code! I tried other solutions but my test cases were failing! but this worked for me – Dupinder Singh Dec 11 '21 at 18:28
How can we fix this vulnerability for Java 6 applications without upgrading the Java version? – user3552342 Dec 22 '21 at 05:35

Eswaran Venkatesan · Answer 2 · 2021-12-22T19:55:05.133

-3

Please find the solution

Upgrade Apache log4j version to 2.15.0 (released date: Friday, December 10, 2021) , if you are using Apache log4j and the version is less than 2.15.0. Currently 2.15.0 is outdated. Use 2.16.0

On Dec13th, apache has introduced new version of log4j - Log4j 2.16.0, this is more reliable to use.

Also check the JVM version, if lower than this may get impacted.

Java 6 – 6u212
Java 6 – 6u212
Java 7 – 7u202
Java 8 – 8u192
Java 11 - 11.0.2

edited Dec 22 '21 at 19:55

answered Dec 12 '21 at 08:37

Eswaran Venkatesan

163
2
7

1

Updating the Java version is not sufficient, it only protects you against some of the possible exploits. The only real fix is to update to log4j 2.16.0. – Mark Rotteveel Dec 16 '21 at 15:12
1

Thanks for the update, Yes my post was on Dec12th, log4j 2.15.0 was valid as of that date. log4j 2.16.0 was released on December 13th. also i have mentioned to updated the log4j version as well as the JVM version. Apache foundation has introduced log4j 2.17.0 version – Eswaran Venkatesan Dec 22 '21 at 19:51

How to fix log4j vulnerability

2 Answers2