Spring Boot and log4j2 vulnerability

TL/DR > Spring Boot has got your back yet again. The way we @ DTF along with vast majority of the world is using Spring Boot, it is safe against log4j2 vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 (updating this list as they come). That being said, although Spring Boot gives you rock-solid fundamentals and defaults, it is also flexible and gives you an option to eventually switch to vulnerable versions of log4j2, details bellow.

The log4j-to-slf4j and log4j-api jars that are included in spring-boot-starter-logging cannot be exploited on their own. Only applications that would override this by switching the default logging system to log4j2 and are using log4j-core and including user input in log messages are vulnerable. Spring Boot team has responded with this article and it is being updated as more info, CVEs and mitigation plans are coming in.

You can sleep well (while still being vigilant) if you’re following these simple rules as we do:

  1. Be on supported versions of frameworks you are using (Spring Boot 2.5.x and 2.6.x at time of writing this article)
  2. Use CVE-checking tools in your CI/CD (like OWASP dependency-check that we are using in test stage of our GitLab pipelines)

Jmix is the next stage of Cuba RAD framework

As a late Christmas present, we have discovered that the guys at Haulmont are intending to push our favorite Spring-based open-source Rapid Application Development framework called Cuba into new heights by re-branding it to Jmix (not important) plus making bunch of architectural decisions in right direction (very important).

We have delivered some powerful business apps to our clients utilizing Cuba and thus have also experienced its shortcomings that we had to eventually overcome. Hence we are extremely thrilled about the intention to have less framework redundancy with Spring and getting closer to vanilla Spring Boot. We are also very happy about seeing proper migration approach with adopting Liquibase as we had to write our own migrations for previous versions of Cuba. There’s a bunch of good stuff announced but I will refrain from elaborating further to honor the no-needless-redundancy principle, feel free to dig in here.

We will keep an eye on releases for you and let you know about our hands-on experience with Jmix as soon as we deliver a project on it. Stay tuned.

Jmix as a xmas present, image © Jmix / Haulmont