Micronaut Framework and Log4j 2 Vulnerability
by Sergio Del Amo CaballeroVulnerability CVE-2021-44228 may allow an attacker to remotely execute code. It affects Log4j’s log4j-core jar. Log4j v2.15.0 fixes it. Moreover, Log4j v2.16.0 disables JNDI functionality by default, and it removes message lookups. Log4j v2.17.0 addresses CVE-2021-45105. It protects against infinite recursion in lookup evaluation.
Summary: Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
Are Micronaut applications vulnerable?
By default, Micronaut applications use Logback. Thus, most Micronaut applications are not affected.
However, your application would be vulnerable if it includes untrusted input in the log messages and pulls log4j-core as a transitive dependency.
Are Micronaut applications that use the Log4j feature vulnerable?
Yes. If you replaced Logback with Log4j by selecting the Log4j feature in Micronaut Launch or in Micronaut CLI, you’ll need to update Log4j version to 2.17.0.
In Gradle, it means replacing:
dependencies {
...
implementation("org.apache.logging.log4j:log4j-core:2.14.1")
runtimeOnly("org.apache.logging.log4j:log4j-api:2.14.1")
runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.14.1")
}
With:
dependencies {
...
implementation("org.apache.logging.log4j:log4j-core:2.17.0")
runtimeOnly("org.apache.logging.log4j:log4j-api:2.17.0")
runtimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.17.0")
}
For Maven, it means replacing:
...
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.14.1</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.14.1</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.14.1</version>
<scope>runtime</scope>
</dependency>
</dependencies>
With:
...
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.0</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.17.0</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.17.0</version>
<scope>runtime</scope>
</dependency>
</dependencies>
How can you check to see if you are pulling log4j-core as a transitive dependency?
If you are using Gradle, run:
./gradlew dependencyInsight --dependency log4j-coreIf you are using Maven, run:
./mvnw dependency:list | grep log4jHow do you tell your build to use a particular version of Log4j?
With Gradle, if your application is pulling log4j-core transitively, you can declare a resolutionStrategy:
configurations.all {
resolutionStrategy.eachDependency {
DependencyResolveDetails details ->
if (details.requested.group == 'org.apache.logging.log4j') {
details.useVersion '2.17.0'
}
}
}
With Maven, if you define the Log4j dependency version explicitly, it will be used:
<dependencies>
...
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>2.17.0</version>
</dependency>
</dependencies>Other Options
If you cannot upgrade, please do the following, as suggested by the Log4j team:
For those who cannot upgrade to 2.15.0, in releases >=2.10, this behavior can be mitigated by setting either the system property
log4j2.formatMsgNoLookupsor the environment variableLOG4J_FORMAT_MSG_NO_LOOKUPStotrue.For releases >=2.7 and <=2.14.1, all
PatternLayoutpatternscan be modified to specify the message converter as%m{nolookups}instead of just%m.For releases >=2.0-beta9 and <=2.10.0, the mitigation is to remove the
JndiLookupclass from the classpath:zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class.