The following post will help you resolve the Log4j security vulnerabilities for CVEs: CVE-2021-45046 and CVE-2021-44228. This is a CRITICAL security vulnerability that should be fixed as soon as you’re able to. This is specific for Spring Boot and Maven only!
This tutorial to fix the Log4j security vulnerability is specifically for Java applications that use Spring Boot and Maven ONLY! You must also be using Spring’s parent POM! If not, then you will have to declare the log4j-bom explicitly. Side note: this fix should help you get past the Spring Boot CVE flag in Sysdig also.
1.) Set a log4j2.version property for the log4j version in your Maven file like below:
<log4j2.version>2.17.2</log4j2.version>
If you don’t have a properties section in your Maven file, then it should look like the below:
<properties>
<log4j2.version>2.17.2</log4j2.version>
</properties>
2.) Set your Spring Boot version to 2.6.3. If you’re pulling the parent POM in Spring, then it will look like the following:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.3</version>
<relativePath/>
</parent>
Spring team has mentioned that a fix will be coming in version 2.6.3 if you’re using Spring Boot 2.6.x on December 23rd, 2021 so remember to update at that time if you want to remove the explicit version callout in Maven for log4j2.
The above Spring Boot version should fix VULNDB-275958 that appears in Sysdig scans!
Vector image provided by Vectorstock.