any solution for log4j vulnerability issue?

[adnan-hasan]

Hello, I was checking the latest release 3.1.0 and it has log4j vulnerability. (org.apache.logging.log4j:log4j-api>Version 2.14.1)

Is there any fix planned for this issue?

[hyness]

Hello @adnan-hasan,

When I heard the news about the log4j vulnerability, I did look into it, but wasn't worried because you have to opt into log4j2 to use it which this image doesn't, we use the logging default which is logback. As I suspected this image is unaffected. The log4j-api jar you reference does not have any executable code, just the the apis. You can read more about this issue on the Spring Boot blog, but I'll include the most relevant quote below.

Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.

As you can see below, log4j-core is not included

# ls -la BOOT-INF/lib/ | grep log4j
-rw-r--r-- 1 root root  300365 Dec 17 22:26 log4j-api-2.14.1.jar
-rw-r--r-- 1 root root   17762 Dec 17 22:26 log4j-to-slf4j-2.14.1.jar

Thank you for this report, and your interest in this project

[adnan-hasan]

Perfect! I just checked version 3.0.4 and looks like it also doesn't use log4j-core. So it is safe to assume that for now, I can keep using version 3.0.4 and do not need an immediate update.