Head Photo by: Fabian Jones

How to Upgrade log4j

With the recent log4j vulnerability, everyone is currently patching their Java Applications. In this article, we’re going to take a look how such a patch can look like.

Usually, we don’t use log4j directly, but get it through another maven dependency transiently. To identify what log4j version we are using, the following command can be used:

$ mvn dependency:tree | grep log4j

This command will print the complete tree of dependencies, then filter for the term “log4j”. The output may look something like that:

org.apache.logging.log4j:log4j-api:jar:2.7:compile
org.apache.logging.log4j:log4j-core:jar:2.7:compile
org.apache.logging.log4j:log4j-slf4j-impl:jar:2.7:compile

As we can see we’re using a vulnerable version of log4j (2.7). To upgrade to a safe version (2.17.0) we can now add the following code to the pom.xml file:

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.17.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.17.0</version>
</dependency>

If we now execute this command again, we can see that the vulnerable log4j dependency is gone:

$ mvn dependency:tree | grep log4jorg.apache.logging.log4j:log4j-api:jar:2.17.0:compile
org.apache.logging.log4j:log4j-core:jar:2.17.0:compile
org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.0:compile

You may only find the log4j-api dependency in your output. This means you are not using the vulnerable log4j-core dependency.

--

--

--

DevOps – Linux — Kubernetes –Azure — Java — JS — Apache Camel

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

BitTorrent is Now Live on TokenPocket!

The internet has no trust protocol

Realliq Will Adopt Berry Oracle

AMA Recap | How Huobi P2P Keeps Your Assets Safe

6 Cybersecurity Businesses that Present Opportunity

Changing Your DNS Settings To Increase Your Internet Speed

TrustRecruit — BUG BOUNTY

An Overview of Affinidi’s Terms of Use for Developers

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aymen Furter

Aymen Furter

DevOps – Linux — Kubernetes –Azure — Java — JS — Apache Camel

More from Medium

Basics of Music Publishing and Licensing — Masil

CICS in a nutshell

Footfall