散修程序员

SpringBoot集成升级log4j2解决漏洞

 2022-07-18    0 条评论    92564 浏览

漏洞

spring boot集成log4j2

spring boot项目可以通过pom坐标直接引入log4j2依赖,也可以通过spring boot自带的包引入依赖

通过spring boot引入log

<dependency> <!-- 引入log4j2依赖 -->  
    <groupId>org.springframework.boot</groupId>  
    <artifactId>spring-boot-starter-log4j2</artifactId>  
</dependency>

注释掉spring-boot-starter-logging,因为默认仅仅记录到控制台。

<dependency>  
    <groupId>org.springframework.boot</groupId>  
    <artifactId>spring-boot-starter-web</artifactId>  
    <exclusions><!-- 去掉springboot默认配置 -->  
        <exclusion>  
            <groupId>org.springframework.boot</groupId>  
            <artifactId>spring-boot-starter-logging</artifactId>  
        </exclusion>  
    </exclusions>  
</dependency>

注意,此种方式log4j2的版本随着spring boot的版本走。 spring boot的2.6.7版本对应log4j2版本2.17。

spring boot如下:

<parent>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-parent</artifactId>
	<version>2.6.7</version>
	<relativePath/>
</parent>

点击跳转到spring-boot-starter-logging坐标可以看到pom坐标

<modelVersion>4.0.0</modelVersion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
<version>2.6.7</version>

坐标内log4j2的坐标

<dependencies>
	<dependency>
		<groupId>org.apache.logging.log4j</groupId>
		<artifactId>log4j-slf4j-impl</artifactId>
		<version>2.17.2</version>
		<scope>compile</scope>
	</dependency>
	<dependency>
		<groupId>org.apache.logging.log4j</groupId>
		<artifactId>log4j-core</artifactId>
		<version>2.17.2</version>
		<scope>compile</scope>
	</dependency>
	<dependency>
		<groupId>org.apache.logging.log4j</groupId>
		<artifactId>log4j-jul</artifactId>
		<version>2.17.2</version>
		<scope>compile</scope>
	</dependency>
	<dependency>
		<groupId>org.slf4j</groupId>
		<artifactId>jul-to-slf4j</artifactId>
		<version>1.7.36</version>
		<scope>compile</scope>
	</dependency>
</dependencies>

2022-07-31 17:25:40 星期日

注意:今天爆出log4j2又有新漏洞,需要升级到最新的2.18版本

直接pom坐标引入依赖

直接通过pom坐标引入log4j2更直观,且方便调整依赖版本。

去掉spring boot web的自带log配置如上:略...

pom配置如下(都引入最新版本的2.18)

 <!-- 配置 log4j2 -->
<dependency>
	<groupId>org.apache.logging.log4j</groupId>
	<artifactId>log4j-slf4j-impl</artifactId>
	<version>2.18.0</version>
	<scope>compile</scope>
</dependency>
<dependency>
	<groupId>org.apache.logging.log4j</groupId>
	<artifactId>log4j-api</artifactId>
	<version>2.18.0</version>
	<scope>compile</scope>
</dependency>
<dependency>
	<groupId>org.apache.logging.log4j</groupId>
	<artifactId>log4j-core</artifactId>
	<version>2.18.0</version>
	<scope>compile</scope>
</dependency>
<dependency>
	<groupId>org.apache.logging.log4j</groupId>
	<artifactId>log4j-jul</artifactId>
	<version>2.18.0</version>
	<scope>compile</scope>
</dependency>
<dependency>
	<groupId>org.slf4j</groupId>
	<artifactId>jul-to-slf4j</artifactId>
	<version>1.7.36</version>
	<scope>compile</scope>
</dependency>

spring boot内置的log

spring boot的依赖jar很多都包含了spring-boot-starter-log4j2,此jar包含了log4j2依赖。

<dependency> <!-- 引入log4j2依赖 -->  
    <groupId>org.springframework.boot</groupId>  
    <artifactId>spring-boot-starter-log4j2</artifactId>  
</dependency>

所以在spring boot中,直接使用pom引入log4j2时,最好将其他spring-boot-starter-log4j2排除掉。

默认包含spring-boot-starter-log4j2的组件包括

<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter</artifactId>
	<exclusions><!-- 去掉springboot默认配置 -->
		<exclusion>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-logging</artifactId>
		</exclusion>
	</exclusions>
</dependency>

<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-web</artifactId>
	<exclusions><!-- 去掉springboot默认配置 -->
		<exclusion>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-logging</artifactId>
		</exclusion>
	</exclusions>
</dependency>

<dependency>
	<groupId>org.springframework.boot</groupId>
	<artifactId>spring-boot-starter-thymeleaf</artifactId>
	<exclusions><!-- 去掉springboot默认配置 -->
		<exclusion>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-logging</artifactId>
		</exclusion>
	</exclusions>
</dependency>