Since all modules this repo depend on Log4j2 libraries in provided scope, adding this library to your POM file will NOT add affected libraries to your production code unless you're packaging your application with provided transitive dependencies explicitly. This decision was made at the beginning of this project to enforce you to fully control Log4j2 libraries landing on your classpath.
Regardless of the above decision, new version will be released later today (retaining provided scope) including dependency on 2.15.0 in order to indicate a patched Log4j2 version. It will NOT make your application free of this vulnerability!
Please use following command to locate a source of vulnerable log4j-core library and replace it with version 2.15.0 or newer.
All Log4j2 dependencies should be listed explicitly in your POM file unless other dependencies e.g. org.springframework.boot:spring-boot-starter-log4j2 or other lots.of.transitive.compile:convenience libraries have them in compile scope.
Since all modules this repo depend on Log4j2 libraries in
provided
scope, adding this library to your POM file will NOT add affected libraries to your production code unless you're packaging your application withprovided
transitive dependencies explicitly. This decision was made at the beginning of this project to enforce you to fully control Log4j2 libraries landing on your classpath.Regardless of the above decision, new version will be released later today (retaining
provided
scope) including dependency on 2.15.0 in order to indicate a patched Log4j2 version. It will NOT make your application free of this vulnerability!Please use following command to locate a source of vulnerable
log4j-core
library and replace it with version 2.15.0 or newer.and follow Log4j Project recommendations
All Log4j2 dependencies should be listed explicitly in your POM file unless other dependencies e.g. org.springframework.boot:spring-boot-starter-log4j2 or other lots.of.transitive.compile:convenience libraries have them in
compile
scope.