Log4j 2.15.0 maven dependency - Fixing log4j zero day vulnerability

What is log4j 2.15.0 maven dependency for Java and Scala project? Learn to fix log4j zero day vulnerability in your Java/Scala projects.

Log4j 2.15.0 maven dependency - Fixing log4j zero day vulnerability

What is Log4j 2.15.0 Maven Dependency and how to fix log4j zero day vulnerability?

Log4j is one of the most popular logging library in Java project and it is being used by millions of developer in the project. Recently Log4j zero day vulnerability was found in the previous Log4j package. To resolve this apache team released latest version of Log4j library which fixes log4j zero day vulnerability. So, if you are using old affected version of Log4j library (between 2.0-beta9 to 2.14.1 ), the you should upgrade to log4j 2.15.0 or above.

This bug is also know as Log4Shell: RCE 0-day exploit or vulnerability, which is found in very popular Apache log4j 2 library being used by applications developed in Java.

Apache quickly released log4j 2.15.0 on 10 December 2021 with a fix for the log4j zero day vulnerability. So, if you want to fix the apache log4j zero day vulnerability you should use log4j 2.15.0 or above. It is very urgent for the developers to upgrade to latest version log4j dependency to fix zero day bug.

The Apache log4j zero day bug is very critical bug which is affecting large number of servers and application around the world. Companies are working on very high priority basis for fixing this bug in their application.

What is Log4j 2.15.0 maven dependency for using in the Java projects?

If you want to use log4j 2.15.0 in maven based Java program then add following dependency in the pom.xml file of your project:

<dependency>
	<groupId>org.apache.logging.log4j</groupId>
	<artifactId>log4j-core</artifactId>
	<version>2.15.0</version>
</dependency>

Add above dependency code in your project to fix the log4j zero day vulnerability. After adding the above dependency maven will download the required log4j library and include in your project.

For including the api you can add following in your pom.xml file:

<dependency>
	<groupId>org.apache.logging.log4j</groupId>
	<artifactId>log4j-api</artifactId>
	<version>2.15.0</version>
</dependency>

Gradle Dependency

If you project is based on Gradle then you can use following dependency code:

implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.15.0'

Above code will enable the Gradle to down log4j 2.15.0 maven dependency jar and include in the project.

if you want to include the api in gradle project the add following:

implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.15.0'

What are the features of log4j 2.15.0?

The log4j 2.15.0 is quick release which comes with many bug fixes and enhancements for fixing bugs and vulnerabilities.

Recently security companies discovered zero day vulnerability, CVE-2021-44228, which is not fixed in this version of  log4j library. If you are using old versions of log4j then you should immediately upgrade to Log4j 2.15.0, as this vulnerability is address in this version.

Till now Log4j's JNDI support has not restricted and names could be resolved, which is security flaw. It can be used for remote code execution. Now in this release of Log4j this is now limited by default.

This version fixes log4j and now it stops the printing of Lookups information in the log messages. This fixes the vulnerabilities just discovered.

How to fix log4j zero day vulnerability?

There are situations user can't immediately upgrade to 2.15.0, then in those cases vulnerabilities can by mitigate:

  1. If you are using Log4j 2.10 or greater then you may add -Dlog4j.formatMsgNoLookups=true as a command line
    option. Another option is to add log4j.formatMsgNoLookups=true to a log4j2.component.properties file on the classpath
    to prevent lookups in log event messages.
     
  2.  Users of log4j till version Log4j 2.7 may specify %m{nolookups} in the PatternLayout configuration to disable the logging info in the log event messages.
     
  3.  Another way is to remove the JndiLookup and JndiManager classes from the log4j-core jar. The removal of the JndiManager
    will stop the functioning of the JndiContextSelector and JMSAppender classes.

So, in this tutorial I explained you how to use the latest version of Log4j, e.g. log4j 2.15.0 for fixing your application against CVE-2021-44228 (Log4j zero day) vulnerability. This is very serious bug and developers must fix their applications to protect against attacks.

You can read more at: