Contact Us About Sponsorship

Questions about Micronaut Foundation sponsorship?

Please complete this form, and we’ll follow up with you shortly.

Micronaut Framework and Log4j 2 Vulnerability

by Sergio Del Amo Caballero

Vulnerability CVE-2021-44228 may allow an attacker to remotely execute code. It affects Log4j’s log4j-core jar. Log4j v2.15.0 fixes it. Moreover, Log4j v2.16.0 disables JNDI functionality by default, and it removes message lookups. Log4j v2.17.0 addresses CVE-2021-45105. It protects against infinite recursion in lookup evaluation.

Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.

Are Micronaut applications vulnerable?

By default, Micronaut applications use Logback. Thus, most Micronaut applications are not affected.

However, your application would be vulnerable if it includes untrusted input in the log messages and pulls log4j-core as a transitive dependency.

Are Micronaut applications that use the Log4j feature vulnerable?

Yes. If you replaced Logback with Log4j by selecting the Log4j feature in Micronaut Launch or in Micronaut CLI, you’ll need to update Log4j version to 2.17.0.

In Gradle, it means replacing:


dependencies {
  ...
  implementation("org.apache.logging.log4j:log4j-core:2.14.1")
  runtimeOnly("org.apache.logging.log4j:log4j-api:2.14.1")
  runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.14.1")
}

With:


dependencies {
  ...
  implementation("org.apache.logging.log4j:log4j-core:2.17.0")
  runtimeOnly("org.apache.logging.log4j:log4j-api:2.17.0")
  runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.17.0")
}

For Maven, it means replacing:



  ...
  <dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.14.1</version>
    <scope>compile</scope>
  </dependency>
  <dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-api</artifactId>
    <version>2.14.1</version>
    <scope>runtime</scope>
  </dependency>
  <dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-slf4j-impl</artifactId>
    <version>2.14.1</version>
    <scope>runtime</scope>
  </dependency>
</dependencies>

With:


  ...
  <dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.17.0</version>
    <scope>compile</scope>
  </dependency>
  <dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-api</artifactId>
    <version>2.17.0</version>
    <scope>runtime</scope>
  </dependency>
  <dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-slf4j-impl</artifactId>
    <version>2.17.0</version>
    <scope>runtime</scope>
  </dependency>
</dependencies>

How can you check to see if you are pulling log4j-core as a transitive dependency?

If you are using Gradle, run:

./gradlew dependencyInsight --dependency log4j-core

If you are using Maven, run:

./mvnw dependency:list | grep log4j

How do you tell your build to use a particular version of Log4j?

With Gradle, if your application is pulling log4j-core transitively, you can declare a resolutionStrategy:


configurations.all {
  resolutionStrategy.eachDependency { 
         DependencyResolveDetails details ->
    if (details.requested.group == 'org.apache.logging.log4j') {
      details.useVersion '2.17.0'
    }
  }
}

With Maven, if you define the Log4j dependency version explicitly, it will be used:


<dependencies>
...
  <dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.17.0</version>
  </dependency>
</dependencies>

Other Options

If you cannot upgrade, please do the following, as suggested by the Log4j team:

For those who cannot upgrade to 2.15.0, in releases >=2.10, this behavior can be mitigated by setting either the system property log4j2.formatMsgNoLookups or the environment variable LOG4J_FORMAT_MSG_NO_LOOKUPS to true.

For releases >=2.7 and <=2.14.1, all PatternLayoutpatterns can be modified to specify the message converter as %m{nolookups} instead of just %m.

For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the JndiLookup class from the classpath: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.