December 14, 2021

Fixing the Log4j2 vulnerability in spring boot application

 Hi all,

Software Industry was in a shock with the log4j2 zero day exploit.

Exploited area

The Apache Log4j2 version ( >=2.0 to <=2.14.1 ) is exploitable due to an attacker controlled LDAP and  JNDI endpoints.

Appendix

LDAP (Light Weight Directory Protocol) is an industry standard protocol to access directory services.

JNDI (Java Naming and Directory Interface) is a Java API for a directory service that allows Java software clients to discover and look up data and resources via a name.

Find more information about the vulnerability from NVD website link.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

NVD (National Vulnerability Database) is maintained by National Institute of Standards and Technology (NIST),  An official part of United States of America (USA) government's Department of Commerce.

Fix the vulnerability

  • Even in the latest spring boot package uses the vulnerable 2.14.1 log4j2 version.
  • So, we need to explicitly add the specific version in the properties as below
  • In pom.xml file, creating <properties> tag if not exists and add the attribute log4j2.version with version 2.16.0 (latest)

<properties>

    <log4j2.version>2.16.0</log4j2.version>

</properties>

  • To check the version applied to the project, run the following command
mvn dependency:tree | grep "log4j"
  • The result should look like below
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.16.0:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.16.0:compile

  • The similar type of vulnerability fixes available for other project builds.


Hope you will find the above information useful and fix the issue immediately to keep the servers safe from attacks.

Send your valuable feedback and comments to psrdotcom@gmail.com

 

Featured Post

Java Introdcution

Please send your review and feedback to psrdotcom@gmail.com