If your application uses Log4j from version 2.0-alpha1 to 2.14.1, you should update to the latest version (2.16.0 at the time of writing this) as soon as …
Join the DZone community and get the full member experience. The Log4j vulnerability tracked as CVE-2021-44228 (also known as Log4Shell) allows an attacker to execute arbitrary code in a system. If your application uses Log4j from version 2.0-alpha1 to 2.14.1, you should update to the latest version ( 2.16.0 at the time of writing this) as soon as possible. The Swiss government published an excellent diagram that explains the vulnerability: Now let’s dive into mitigation strategies… In a Maven project, you can search for the log4j-core dependency in the dependencies tree and check if you are using an affected dependency. An easy way to do this is by running the following command: This command uses the Maven Dependency Plugin to show the dependency tree (including transitive dependencies) for the project. The includes option filters the output to show only the log4-core dependency. If your project depends on a vulnerable version of Log4j, you’ll see something like the following: In this example, the output shows that the project directly uses version 2.14.1 (vulnerable) of Log4j. This project needs to update the dependency: To the following: I tried this with the JDBC connector project for the MariaDB database and got the following: This is good news – the project doesn’t use Log4j and hence it’s not vulnerable to Log4Shell (see this article with more information on the specific case of MariaDB).
