Is the log4j vulnerability issue affect springboot 1.5.6 starter logging?-CodePudding

Currently my project is running in springboot 1.5.6.Is the log4j vulnerability issue affect springboot 1.5.6 starter logging?

CodePudding user response：

The springboot logger has increased it's threshold encryption capacity after 1.5.2 which means that it will not be vunerable to attacks through log4j-shell which effectively tries to compromise the network security protocol to gain low-level access.

CodePudding user response：

No, spring-boot is not affected "per se", neither springboot-starter-logging: 1.5.6.

Proof#1: https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
Proof#2:

>mvn dependency:tree

---------------------< com.example:mavenproject1 >----------------------
Building mavenproject1 1.0.0-SNAPSHOT
--------------------------------[ jar ]---------------------------------

--- maven-dependency-plugin:2.10:tree (default-cli) @ mavenproject1 ---
com.example:mavenproject1:jar:1.0.0-SNAPSHOT
 - org.springframework.boot:spring-boot-starter-logging:jar:1.5.6.RELEASE:compile
|   - ch.qos.logback:logback-classic:jar:1.1.11:compile
|  |   - ch.qos.logback:logback-core:jar:1.1.11:compile
|  |  \- org.slf4j:slf4j-api:jar:1.7.25:compile
|   - org.slf4j:jcl-over-slf4j:jar:1.7.25:compile
|   - org.slf4j:jul-to-slf4j:jar:1.7.25:compile
|  \- org.slf4j:log4j-over-slf4j:jar:1.7.25:compile
 - junit:junit:jar:4.12:test
|  \- org.hamcrest:hamcrest-core:jar:1.3:test
 - org.assertj:assertj-core:jar:2.6.0:test
 - org.mockito:mockito-core:jar:1.10.19:test
|  \- org.objenesis:objenesis:jar:2.1:test
 - org.hamcrest:hamcrest-library:jar:1.3:test
\- org.springframework:spring-test:jar:4.3.10.RELEASE:test
   \- org.springframework:spring-core:jar:4.3.10.RELEASE:test
------------------------------------------------------------------------
BUILD SUCCESS
------------------------------------------------------------------------
Total time:  1.179 s
Finished at: 2022-01-08T08:32:43 01:00
------------------------------------------------------------------------

We have/had/will become a problem, when we have:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>