Avoid Log4J "Log4Shell" exploit

This commit upgrades our transitive dependency on Log4J 2 from 2.14.1 to the newly-released 2.15.0 to avoid the CVE described at https://www.lunasec.io/docs/blog/log4j-zero-day/. We do not use log4j directly anywhere in our codebase, so our exposure to this exploit was already mitigated if not eliminated, but Spring Boot depends on Log4J 2 internally. This commit upgrades Spring Boot's underlying dependency on Log4J to 2.15.0 in the manner recommended at spring-projects/spring-boot#28958.
bisq-network · Dec 10, 2021 · 5f0f9e8 · 5f0f9e8
1 parent bb4ceaa
commit 5f0f9e8
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/build.gradle b/build.gradle
@@ -583,6 +583,8 @@ configure(project(':pricenode')) {
         "Implementation-Title": project.name,
         "Implementation-Version": version)
 
+    ext['log4j2.version'] = '2.15.0'
+
     dependencies {
         implementation project(":common")
         implementation project(":core")

diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
@@ -1883,6 +1883,11 @@
             <sha256 value="972d7e467fd0f36f05e8ff72730d363cb04d56add01681d19e243f5341eff0b2" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.apache.logging.log4j" name="log4j" version="2.15.0">
+         <artifact name="log4j-2.15.0.pom">
+            <sha256 value="3f745daa4ea6dc2606525bd4279bf30062066bd223866adb7f5eee46dcf76a03" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.apache.logging.log4j" name="log4j-api" version="2.11.0">
          <artifact name="log4j-api-2.11.0.jar">
             <sha256 value="fa5828950269b0ae425c96d889f18f40b336e9fa886841ae06bb9225511f1217" origin="Generated by Gradle"/>
@@ -1899,11 +1904,24 @@
             <sha256 value="909fa83ac088e70c8ba0dfb0fbd5b3027d03262edaafcca1250cc6aec46f0ad4" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.apache.logging.log4j" name="log4j-api" version="2.15.0">
+         <artifact name="log4j-api-2.15.0.jar">
+            <sha256 value="c8c33e7e8e05496dae69cf0caac8c3092cffd937a164526e92922d2d566d0a55" origin="Generated by Gradle"/>
+         </artifact>
+         <artifact name="log4j-api-2.15.0.pom">
+            <sha256 value="cc75a1281e48700547a81336b564f512a7226e995800bf88ab849ab5adbffa47" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.apache.logging.log4j" name="log4j-bom" version="2.14.1">
          <artifact name="log4j-bom-2.14.1.pom">
             <sha256 value="a9cef896837f42c6d950b1ce44e2bc1eeeadb246d6c484e07ddd99fb8c022c59" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.apache.logging.log4j" name="log4j-bom" version="2.15.0">
+         <artifact name="log4j-bom-2.15.0.pom">
+            <sha256 value="99b95442cfaf64ba478ef06d869fefdf3dd959fec78263e59f55cec5ac98b485" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.apache.logging.log4j" name="log4j-core" version="2.11.0">
          <artifact name="log4j-core-2.11.0.jar">
             <sha256 value="c32029b32da3d8cf2feca0790a4bc2331ea7eb62ab368a8980b90c7d8c8101e0" origin="Generated by Gradle"/>
@@ -1920,6 +1938,14 @@
             <sha256 value="9405a913081c375346da4b3e635ee16a96a41fff08360752918fda9c3290e2dc" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.apache.logging.log4j" name="log4j-to-slf4j" version="2.15.0">
+         <artifact name="log4j-to-slf4j-2.15.0.jar">
+            <sha256 value="5e1a381e645a6d80b8a5240e899a3c6283821457bb6fd31fb306074674952773" origin="Generated by Gradle"/>
+         </artifact>
+         <artifact name="log4j-to-slf4j-2.15.0.pom">
+            <sha256 value="79c17ecc56a70d466c13bd5926c75c42d7f8bcdbbcfb7d9770e616c013531d1a" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.apache.tomcat.embed" name="tomcat-embed-core" version="9.0.54">
          <artifact name="tomcat-embed-core-9.0.54.jar">
             <sha256 value="287f5b91c434df0eef104389c52c480ab4b66f80b494c16607fd82ae9217f8e3" origin="Generated by Gradle"/>