The Log4j vulnerability and how to update
Log4j is a popular java logging framework. There are currently almost 7,000 Maven artifacts that depend on the vulnerable artifact log4j-core, and there are countless Java projects that use it. The vulnerabilities allow an attacker to perform remote code execution by exploiting the insecure JNDI lookups feature exposed by the logging library log4j. This exploitable feature was enabled by default in many versions of the library. The exploit has been around since 2013 but has only been discovered recently in December 2021.
How to update
You can force your dependency management tool (Gradle or Maven) to use the secure version.
Gradle
Force the version to 2.17.0 in your gradle.build file by adding the following:
configurations.all {
resolutionStrategy.eachDependency { details ->
if (details.requested.group == 'org.apache.logging.log4j') {
details.useVersion '2.17.0'
details.because 'zero-day-exploit'
}
}
}
dependencies {
…
}Run
gradle dependeciesand inspect the output. Copy and paste it to your favorite editor and search for “log4j-core”. You should only see log4j with version 2.17.0.
Maven
Override your pom.xml with the secure version:
<properties>
<log4j2.version>2.17.0</log4j2.version>
</properties>
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>${log4j2.version}</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>${log4j2.version}</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>${log4j2.version}</version>
</dependency>
</dependencies>Run the following to verify:
mvn dependency:treeand inspect the output. Copy and paste it to your favorite editor and search for “log4j-core”. You should only see log4j with version 2.17.0.
