Head Photo by: Fabian Jones

How to Upgrade log4j

With the recent log4j vulnerability, everyone is currently patching their Java Applications. In this article, we’re going to take a look how such a patch can look like.

Usually, we don’t use log4j directly, but get it through another maven dependency transiently. To identify what log4j version we are using, the following command can be used:

$ mvn dependency:tree | grep log4j

This command will print the complete tree of dependencies, then filter for the term “log4j”. The output may look something like that:

org.apache.logging.log4j:log4j-api:jar:2.7:compile
org.apache.logging.log4j:log4j-core:jar:2.7:compile
org.apache.logging.log4j:log4j-slf4j-impl:jar:2.7:compile

As we can see we’re using a vulnerable version of log4j (2.7). To upgrade to a safe version (2.17.0) we can now add the following code to the pom.xml file:

<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.17.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.17.0</version>
</dependency>

If we now execute this command again, we can see that the vulnerable log4j dependency is gone:

$ mvn dependency:tree | grep log4jorg.apache.logging.log4j:log4j-api:jar:2.17.0:compile
org.apache.logging.log4j:log4j-core:jar:2.17.0:compile
org.apache.logging.log4j:log4j-slf4j-impl:jar:2.17.0:compile

You may only find the log4j-api dependency in your output. This means you are not using the vulnerable log4j-core dependency.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aymen Furter

Aymen Furter

DevOps – Linux — Kubernetes –Azure — Java — JS — Apache Camel