Given that Log4J 2.x is suffering from a major remote code execution vulnerability (Check vulnerability), I started taking a look at my project dependencies to see if I use Log4J through e.g. slf4j and luckily I am not.
But I found another dependency on Log4J through spring-boot-starter-data-mongodb. Last version of the package was produced on Nov. 2021, so the issue is not mitigated there.
How can I get rid of the dependency without getting rid of spring-boot-starter-data-mongodb as I rely heavily on it.
➜ mvn dependency:tree | grep -B 5 log4j
[INFO] +- org.springframework.boot:spring-boot-starter-data-mongodb:jar:2.2.5.RELEASE:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:2.2.5.RELEASE:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.2.5.RELEASE:compile
[INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] | | | | \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.12.1:compile
[INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.12.1:compile
>Solution :
Per the Spring blog, you don’t need to:
The
log4j-to-slf4jandlog4j-apijars that we include in
spring-boot-starter-loggingcannot be exploited on their own. Only
applications usinglog4j-coreand including user input in log
messages are vulnerable.