# Mitigating the Log4J Vulnerability in Spring Boot

A lot of the documentation can be found [here](https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot) on Spring's website about the threat.

The most important part is the second paragraph.

> 
Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.

Therefore, If you have not explicitly brought in `log4j-core` into your application you SHOULD be fine. Although, there is a possibility that you are using a [transitive dependency](https://stackoverflow.com/questions/41725810/what-is-a-transitive-maven-dependency) (dependency of a dependency) in your application. 

[Full details](https://nvd.nist.gov/vuln/detail/CVE-2021-44228#vulnCurrentDescriptionTitle) here and [here](https://www.deepwatch.com/blog/3-steps-to-detect-patch-log4j-log4shell-vulnerability/) on the threat. [More](https://logging.apache.org/log4j/2.x/security.html) directly from Apache. 

[Here](https://www.lunasec.io/docs/blog/log4j-zero-day/) is a good read on what the vulnerability is and who is impacted.

[This](https://stackoverflow.com/questions/70326613/how-to-identify-log4j2-or-log4j-in-maven-project) is how I used maven and the `grep` to determine if my projects were affected. If you find `log4j-core` version that is < `2.17.0` you should update it immediately!

```
mvn dependency:tree -Dverbose | grep log4
```

I did find a transitive dependency was using the affected jar. I am the maintainer of the dependency so I was quickly able to put in a patch. Make sure you look for updates to your own dependencies if they contain the affected jar!

Best of luck!