'What is the latest stable spring boot version in which log4j vulnerability is fixed?
What is the latest stable spring boot version in which log4j vulnerability is fixed? I need to fix log4j vulnerability in my current project. From mvn dependency:tree command, I could see the spring boot version 2.3.3.RELEASE is referencing to vulnerable log4j version. I need to upgrade to spring boot version where this vulnerability is fixed.
Solution 1:[1]
Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.
v2.5.8 & v2.6.2 releases (due Dec 23, 2021) will pick up Log4J v2.17.0
check https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 |