Spring Boot Log4J vulnerability Solution (2024)
We'll show you how to find the Log4j version to see if it's vulnerable or not.
Because most applications use the Spring Boot framework, we can use the steps below to determine the Log4j version used across multiple components.
Spring Boot version
- Build with Maven: To determine the spring boot version and its dependencies jars, look for the pom.xml file.
- Gradle build: Look for the dependencies.gradle file to determine the spring boot version and the jars that it depends on.
spring-boot-starter version
Find thespring-boot-starter
jar version once we have determined the spring boot version.Remember that
spring-boot-starter
is the Spring Boot framework's core starter engine, which has auto-configuration support, logging and YAML.Log4J version
It should be simple to determine the Log4J version used inspring-boot-starter
from the maven repo link of Spring Boot Starter library https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starterIt will help us to verify which log4j version is getting utilized internally in
spring-boot-starter.
Evaluate Log4J versions that may be affected.
Your module component is vulnerable if it uses a Log4J version between 2.0-beta-9 and 2.14.1.