1

This is regarding the 0-day exploit found in log4j2 Java logging package https://www.lunasec.io/docs/blog/log4j-zero-day/

Below is my code : pom.xml

    <dependency>
        <groupId>org.hibernate.orm</groupId>
        <artifactId>hibernate-core</artifactId>
        <version>6.0.0.Alpha7</version>
        <scope>provided</scope>
     </dependency>

     <dependency>
        <groupId>org.hibernate</groupId>
        <artifactId>hibernate-envers</artifactId>
        <version>6.0.0.Alpha5</version>
     </dependency>

    <dependency>
        <groupId>org.hibernate.validator</groupId>
        <artifactId>hibernate-validator</artifactId>
        <version>6.0.13.Final</version>
     </dependency>

Each of above dependency has a inner dependency

   <dependency>
        <groupId>org.jboss.logging</groupId>
        <artifactId>jboss-logging</artifactId>
    </dependency>

And jboss-logging uses log4j » log4j 1.2.16 org.apache.logging.log4j » log4j-api 2.11.2

How do I update pom.xml to use org.apache.logging.log4j » log4j-core Version :2.15.0 ?

Any help would be much appreciated! Thank you

Shanz
  • 13
  • 1
  • 3

1 Answers1

2

you should put the 2 dependencies (log4j-api and log4j-core) with the new version in your dependencyManagment section in your pom. Maven will resolve the inner transitive dependencies to this version

Yosef-at-Panaya
  • 676
  • 4
  • 13
  • I wish there were more explanations on how to do that exactly. – mercury Mar 18 '22 at 06:56
  • Hello, i tried the similar way to upgrade my log4j version, and also added the properties like 2.17.2. Still i see the vulnerability for log4j cve-2019-17571, cve-2022-23305 – s.sathish kumar May 12 '22 at 07:04