Does Hibernate core 5.3.7.Final is vulnerable in spring boot project for log4j vulnerability?

Question

For our spring boot project , We are using customized spring boot library and it has been upgraded now.

But during upgrade we have kept older version of hibernate core 5.3.7.Final to support namedNativeQuery functionality. And this version internally using older vulnerable version of log4j.

However as part of security , the overall log4j version is upgraded to latest and we can see only log4j-2.17.1 when we run the mvn dendency:list.

Is this sufficient to handle the log4j vulnarability ?

Thanks in advance.

score 1 · Answer 1 · answered Jan 11 '22 at 15:27

1

Hibernate is not affected:

Hibernate projects are not affected by the vulnerabilities behind CVE-2021-45046 and CVE-2021-44228: none of the Hibernate projects has a runtime dependency on Log4j core.

Source: https://in.relation.to/2021/12/16/log4j-cve/

answered Jan 11 '22 at 15:27

Simon Martinelli

34,053
5
48
82

I have a question concerning this vulnerability if you can please help me , So i'm using hibernate core 5.0.12 that use jboss logging 3.3.1 And when i checked the jboss logging dependency, i see the log4j: 1.2.16 2.0 Am i concerned by this vulnerability ? Thanks in advanced Simon and all. – Ganesh Java Jan 12 '22 at 07:18
I'ts just using the API not the implementation – Simon Martinelli Jan 12 '22 at 08:47

score 0 · Answer 2 · answered Mar 07 '22 at 02:47

0

After Anyalysis and stack overflow help come to know that Hibernate core 5.3.7.Final is not vulnerable in spring boot project for log4j vulnerability

answered Mar 07 '22 at 02:47

Ganesh Java

37
2
9

Does Hibernate core 5.3.7.Final is vulnerable in spring boot project for log4j vulnerability?

2 Answers2