Recently, major vulnerabilities have been revealed in log4j2. The company also urgently requires all projects to check themselves and upgrade the version of log4j to a safe version
At present, we are using springboot version 1.5.9, and the built-in log4j2 is version 2.7. Although mybatis is integrated, the built-in version of log4i is still based on springboot
There are two schemes, one is officially provided and recommended by individuals, and the other is summarized based on online. The test results are also correct
Method 1: recommended by the spring official website (it is strongly recommended to use the official website)
https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
The official website introduces two situations,
Case 1: directly use the parent pom of soringboot, similar to the following (the following method is recommended)
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>1.5.9.RELEASE</version>
<relativePath/>
</parent>
In this case, you need to use the POM of your own project Add the following code to the XML file
<properties>
<log4j2.version>2.16.0</log4j2.version>
</properties>
If the POM of your own project The < Properties > tag is already in the XML file, so you can add < log4j2. XML version>2.16.0</log4j2. Version >, the version can be selected by yourself, preferably > = version 2.15
Add the reason here, < Properties > can override the dependent version introduced in the parent pom file
After the change, you can check whether the dependent version of your project has been upgraded. I choose to upgrade to version 2.15
The advantage of this method is that you don't need to find one by one. Basically, as long as the parent pom is set, other basic will be upgraded synchronously
Case 2: instead of taking the pom file of springboot as the parent pom, it is introduced as a dependency
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>2.16.0</version>
<scope>import</scope>
<type>pom</type>
</dependency>
... other dependencies including spring-boot-dependencies
</dependencies>
</dependencyManagement>
I haven't tried to be specific. I just translated the official website and chose the version myself
Mode 2
Directly say how to change it (this is changed by colleagues, and I took it directly for use)
Parent POM xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
<exclusions>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.15.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.15.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.15.0</version>
</dependency>
POM of web module xml
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.15.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.15.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.15.0</version>
</dependency>
The principle is to eliminate the dependency of the jar package related to log4j in the original dependency, < exclusions >, < exclusion >, and then re introduce the required jar package and indicate the version
Someone wrote a piece of code on the Internet before
Replace the following code in the pom file, and an error occurs when starting the project
Original:
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-log4j2</artifactId> </dependency>
Replace with:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
<exclusions>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.15.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.15.0</version>
</dependency>
I tried it and reported an error after replacement. My original built-in log4j version was 2.7
After replacement, errors are always reported, and the project cannot start. classNotFound
java.lang.NoClassDefFoundError: org/apache/logging/log4j/util/ReflectionUtil at org.apache.logging.slf4j.Log4jLoggerFactory.getContext(Log4jLoggerFactory.java:42) at org.apache.logging.log4j.spi.AbstractLoggerAdapter.getLogger(AbstractLoggerAdapter.java:47) at org.apache.logging.slf4j.Log4jLoggerFactory.getLogger(Log4jLoggerFactory.java:29) at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:284) at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:304) at com.sunmnet.ybt.ApplicationConfig.<clinit>(ApplicationConfig.java:59) Caused by: java.lang.ClassNotFoundException: org.apache.logging.log4j.util.ReflectionUtil at java.net.URLClassLoader.findClass(URLClassLoader.java:382) at java.lang.ClassLoader.loadClass(ClassLoader.java:418) at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:355) at java.lang.ClassLoader.loadClass(ClassLoader.java:351) ... 6 more Exception in thread "main"
Here I'll talk about my reasons. If you are interested, you can have a look
I went to version 2.7 and found this class, but version 2.15 did not have this class. I looked at the dependencies of my whole project and found a problem,
Did you find any problems? The above two jar packages have been upgraded, but there are still two that haven't been upgraded
Moreover, I introduced a log4j web dependency in the web module. Its version is 2.7, and this dependency requires log4j API and log4j core. The two versions are upgraded again. The problem of inconsistent versions leads to some classes not being found. If there is a problem with the dependent version, it should also be upgraded.
It's very troublesome. You need to go to the pom file of each module to see if there is a separate dependency on log4j, so it is strongly recommended to set it as recommended on the spring official website
In a word, the reason why I have the above problem is that there are dependencies related to log4j separately introduced in other places, and the version is inconsistent with your upgrade. (if you think what you said is wrong, you are welcome to point it out). Therefore, it is highly recommended to use the method recommended by the spring official website to upgrade the log4j2 version, unless you are very clear about your project and know where there are dependencies on log4j2