2

Given that Log4J 2.x is suffering from a major remote code execution vulnerability (Check vulnerability), I started taking a look at my project dependencies to see if I use Log4J through e.g. slf4j and luckily I am not.

But I found another dependency on Log4J through spring-boot-starter-data-mongodb. Last version of the package was produced on Nov. 2021, so the issue is not mitigated there.

How can I get rid of the dependency without getting rid of spring-boot-starter-data-mongodb as I rely heavily on it.

➜  mvn dependency:tree | grep -B 5 log4j
[INFO] +- org.springframework.boot:spring-boot-starter-data-mongodb:jar:2.2.5.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:2.2.5.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.2.5.RELEASE:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.12.1:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.12.1:compile
Omar Yasser
  • 135
  • 1
  • 5
  • 2
    Just define a new version of log4j 2.15.0 in your pom file...furthermore you have only a dependency to log4j-api and not on log4j-core (which is the problem)...and furthermore do you even use log4j 2 in your project? – khmarbaise Dec 13 '21 at 12:22
  • @khmarbaise Thanks for pointing out that this vulnerability is only against the logback-core and not with the log4j-api. Regarding your question, I don't use log4j 2 explicitly but I was not sure if the MongoDB package will use it in a way that I am unaware of given that it has the Log4J as a dependency. – Omar Yasser Dec 13 '21 at 12:28
  • 1
    You are wrong here because the CVE described its against: log4j-core and **NOT** against `logback-core` you should read those things carefully https://www.lunasec.io/docs/blog/log4j-zero-day/ also the link given by @jonrsharpe – khmarbaise Dec 13 '21 at 12:30
  • Thanks for correcting me again. – Omar Yasser Dec 13 '21 at 12:44

1 Answers1

8

Per the Spring blog, you don't need to:

The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.

jonrsharpe
  • 115,751
  • 26
  • 228
  • 437