In view of the log4j2 vulnerability, the project requires either to replace all log4j, or to upgrade log4j to a safe version, because the log4j 1 version has long been deprecated, and the versions affected by the log4j2 vulnerability are: log4j 2.0<2.4.1, 2.4<2.12.2, 2.13. 0<2.16.0, the analysis and solution process is as follows:
Analyze the log4j used in the project through the maven management tool, click on the idea:
The structure shown in the following figure appears:
In the region world shift + f search log4j:
Click to find the log4j-related package, double-click to view the log4j version, the result is 2.13.3 is within the scope of the vulnerability, remove the log4j-api method:
Remove the log4j-api dependency that comes with springboot
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> <exclusions> <exclusion> <groupId>org.apache.logging.log4j</groupId> <artifactId>log4j-api</artifactId> </exclusion> </exclusions> </dependency>