Log4j2 vulnerability and Lombok annotation @log4j2

Question

We are using spring boot 2.1.5 and starter parent as pom dependency.

Spring boot is using default logback for logging and we haven't explicitly switched to Log4j2 or changes any configurations. Below is our project dependency tree.

We have lot of lombok @log4j2 annotations in our project. But, we find in dependency tree we do not have any log4j2-core jar dependency (that has been found vulnerable to recent issues with log4j).

@Log4j2
@Service
@DependsOn("applicationDependencyCheck")

Is lombok @log4j2 not dependent on log4j2-core.jar. Is it correct to assume this would show up in maven dependency tree or are we missing something.

This is our lombok entry -

<dependency>
    <groupId>org.projectlombok</groupId>
    <artifactId>lombok</artifactId>
    <optional>true</optional>
</dependency>

Please share some insights.

thanks

Answer 1

In lombok documentation you can find it here https://projectlombok.org/api/lombok/extern/log4j/Log4j2.html

@Log4j2 public class LogExample { }

will generate:

public class LogExample { private static final org.apache.logging.log4j.Logger log = org.apache.logging.log4j.LogManager.getLogger(LogExample.class); }

Both classes are present in log4j API jar

• https://logging.apache.org/log4j/2.x/log4j-api/apidocs/org/apache/logging/log4j/LogManager.html
• https://logging.apache.org/log4j/2.x/log4j-api/apidocs/org/apache/logging/log4j/Logger.html

There are no known vulnerabilities listed here https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api

As described here https://logging.apache.org/log4j/2.x/log4j-api/index.html log4j api is just an interface.

I think in such case your code does not depend on log4j core. You can double check the output of build (e.g. maven /target folder, war file etc)

Answer 2

Definitely @Mariusz W.'s answer is the best.

Despite that, I notice your print shows dependency from logback-core-1.2.3 [1], which has the CVE-2021-42550 vulnerability [2].

Keep an eye on that.