3

We heard that log4j-core.jar is vulnerable.
We noticed that spring-cloud-starter-sleuth (version 2.2.2.RELEASE) dependency brings a dependency which uses log4j-core.jar (version 2.13.0) with provided scope as followed:

<dependency>
  <groupId>org.apache.logging.log4j</groupId>
  <artifactId>log4j-core</artifactId>
  <version>${log4j.version}</version>
  <scope>provided</scope>
</dependency>

The exact jar that brings the log4j dependency is:

<groupId>io.zipkin.brave</groupId>
<artifactId>brave-context-log4j2</artifactId>
<version>5.10.1</version>

We are not using Zipkin in our code or configurations, just Sleuth.
Is our code vulnerable?

Yuval Simhon
  • 1,439
  • 2
  • 19
  • 34
  • 1
    No, it is a provided dependency means it doesn't take that version. So unless you are actually including that version (or anything other than 2.15) you are vulnerable. – M. Deinum Dec 13 '21 at 13:40
  • @M.Deinum - If It's not provided, will it fail in runtime? – Yuval Simhon Dec 13 '21 at 13:42
  • 1
    No. If it works now it works then. A `provided` dependency isn't part of the deployment (only compile and runtime). So again if this isn't in your deployable (your jar or war) it isn't an issue. – M. Deinum Dec 13 '21 at 13:52
  • @M.Deinum So what if I'm using spring logback with sleuth that has vulnerable log4j in provided scope, does it mean I have nothing to be scared of? – sadxd Dec 15 '21 at 11:38
  • 1
    No as that is only the API not log4j-core which has the vulnerabiltiy. Which is also explained in detail here https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot – M. Deinum Dec 15 '21 at 12:08

1 Answers1

-1

Spring Cloud Sleuth 2.x is not supported anymore and as M. Deinum mentioned Sleuth will not bring these dependencies for you because of the provided scope. You can test this by running gradlew dependencies or mvn dependency:tree.

Jonatan Ivanov
  • 4,895
  • 2
  • 15
  • 30
  • As far as I understand I will not see Provided in the `mvn dependency:tree` as it will be provided by the environment/OS/JVM and not getting packed. it's also mentioned here: https://stackoverflow.com/questions/5389934/maven-implicit-provided-dependencies-not-shown-in-dependencytree – Yuval Simhon Dec 14 '21 at 06:32