TL/DR > Spring Boot has got your back yet again. The way we @ DTF along with vast majority of the world is using Spring Boot, it is safe against log4j2 vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 (updating this list as they come). That being said, although Spring Boot gives you rock-solid fundamentals and defaults, it is also flexible and gives you an option to eventually switch to vulnerable versions of log4j2, details bellow.
log4j-api jars that are included in spring-boot-starter-logging cannot be exploited on their own. Only applications that would override this by switching the default logging system to log4j2 and are using
log4j-core and including user input in log messages are vulnerable. Spring Boot team has responded with this article and it is being updated as more info, CVEs and mitigation plans are coming in.
You can sleep well (while still being vigilant) if you’re following these simple rules as we do:
- Be on supported versions of frameworks you are using (Spring Boot 2.5.x and 2.6.x at time of writing this article)
- Use CVE-checking tools in your CI/CD (like OWASP dependency-check that we are using in test stage of our GitLab pipelines)