A lot of the documentation can be found here on Spring's website about the threat.
The most important part is the second paragraph.
Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.
Therefore, If you have not explicitly brought in log4j-core
into your application you SHOULD be fine. Although, there is a possibility that you are using a transitive dependency (dependency of a dependency) in your application.
Full details here and here on the threat. More directly from Apache.
Here is a good read on what the vulnerability is and who is impacted.
This is how I used maven and the grep
to determine if my projects were affected. If you find log4j-core
version that is < 2.17.0
you should update it immediately!
mvn dependency:tree -Dverbose | grep log4
I did find a transitive dependency was using the affected jar. I am the maintainer of the dependency so I was quickly able to put in a patch. Make sure you look for updates to your own dependencies if they contain the affected jar!
Best of luck!