Spring-boot-starter-log4j2 please support the latest version of log4j-2.15 0-rc1

[andotorg]

Spring-boot-starter-log4j2 please support the latest version of log4j-2.15 0-rc1

Log4j-2.15 0-rc1 security vulnerability latest fixed version

[yochi2333]

Now, Log4j-2.15 0-rc2 is the latest fixed version.

[ZeroZeroLi]

wait online

[scottfrederick]

Spring Boot will pick up the next Log4J release as part of the semi-automated dependency upgrade process. In the meantime, you can configure your build to use a version of your choice by setting the log4j2.version property in your build file as shown in the documentation.

[andotorg]

waiting for Spring Boot will pick up the next Log4J release as part of the semi-automated dependency upgrade process；
use log4j.version rebuild springboot project？ im so sorry，It's too difficult for me to build a spring boot project。

[andotorg]

Will spring officials consider rebuilding a version？

[snicoll]

@andotorg We will upgrade to this newer version of log4j but this won't happen in a maintenance release so if you want to use this version now, overriding it in your application as described in the documentation is what you should be doing.

It's too difficult for me to build a spring boot project。

If we did the upgrade, you'd have to rebuild your application anyway.

[andotorg]

log4j2 2.15.0 official version published

[nessex]

To add some context, this is in response to the following RCE vulnerability:

https://www.lunasec.io/docs/blog/log4j-zero-day/

[snicoll]

@nessex thanks. We are aware of the CVE and the answers above still apply, there are a number of mitigations available in the link you've provided and upgrading your app is one of them. There's no need to wait for a Spring Boot release to do that.

[Artur-]

Please note that the property mentioned above is wrong, at least for 2.5

Set

<log4j2.version>2.15.0</log4j2.version>

to upgrade the version

[snicoll]

Thanks @Artur-, that is correct and I've edited the comment above. All dependency versions are available in the doc.

[snicoll]

@bmulder-innoseis I am not sure what you're trying to report.

spring-boot-starter-logging uses log4j (without the 2) as a dependency of log4j-to-slf4j.

This isn't a log4j dependency but the adapter from Log4j2's API to SLF4J. The log4j2 starter is here and the way to configure Spring Boot to use it is documented here.

There is no log4j dependency version in that doc you linked.

I am aware. There is a log4j2 version though which is what this issue is all about.

If you have more questions, please ask them on StackOverflow.

[andotorg]

@snicol这是关于 log4j 2。 但是，spring-boot-starter-logging 使用 log4j（没有 2）作为 log4j-to-slf4j 的依赖项。 您链接的该文档中没有 log4j 依赖项版本。

modify sample：
Add <log4j2.version>2.15.0</log4j2.version> in the tab in pom.xml of your project

[yochi2333]

But maven repository doesn`t exsits the version 2.15.0 for log4j2.

[snicoll]

Thanks everyone. Spring Boot does not use log4j2 by default and those of you who are opting-in for log4j2 can update to a version that fixes the problem.

Please review the documentation for Maven: if you are using our starter, or if you are importing our bom.

If you are using Gradle, see this section.

The name of the property is log4j2.version as documented.