On Log4j security vulnerability

Hello everyone,

The disastrous security vulnerability has been found recently: Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package | LunaSec

CUBA platform, as well as Jmix, does not use the Log4j library directly and does not bring it through transitive dependencies. If you run this command:

 ./gradlew :app-core:dependencies | grep log4j
 ./gradlew :app-web:dependencies | grep log4j

you may see only the interface adapter:

org.slf4j:log4j-over-slf4j:1.7.29

The vulnerability is located in the log4j-core of library version 2. If you use dependencies other than the standard CUBA add-ons, they can potentially bring the vulnerable library, so better check the dependencies tree as shown above, or just look at the contents of the deployed application.

If you find log4j-core module of version between 2.0 and 2.14.1 in the dependencies, immediately upgrade your project to the latest version of Log4j. In a CUBA application, you can do it by specifying the dependency with the required version in build.gradle, for example:

configure(globalModule) {
    dependencies {
        implementation 'org.apache.logging.log4j:log4j-1.2-api:2.15.0'
        implementation 'org.apache.logging.log4j:log4j-to-slf4j:2.15.0'
        implementation 'org.apache.logging.log4j:log4j-1.2-core:2.15.0'
// ...

Regards,
Konstantin

6 Likes