spring-boot日志框架漏洞修复


spring-boot日志框架漏洞修复

版本问题

低于2.6.2的版本都存在log4j注入漏洞

方案一Log4j2

排除spring-boot-starter中的默认logging依赖


    org.springframework.boot
    spring-boot-starter
    
        
            org.springframework.boot
            spring-boot-starter-logging
        
    



    org.springframework.boot
    spring-boot-starter-log4j2
    2.6.2

log4j2.xml

<?xml version="1.0" encoding="UTF-8"?>



    
    
        third-api
        /home/migu/portal-third-api/logs
        100 MB
    

    
        
        
            
            
            
            
            
            
        

        
        
            
            
                
                
                
                
            
            
                
                
                
            
            
            
        

        
        
            
            
                
                
                
                
            
            
                
                
            
            
            
        
    

    
        
        
        
            
        

        
        
        
    

logback-spring.xml

<?xml version="1.0" encoding="UTF-8"?>



    logback
    
    
    
    
    
    
    

    
    
        
        
            debug
        
        
            ${CONSOLE_LOG_PATTERN}
            UTF-8
        
    

    
    
        
        
        
            
        
    

    
    
        
        
            
        
    

    
    
        
        
            
        
    


方案二

2.17.2



    org.springframework.boot
    spring-boot-starter
    
        
            org.springframework.boot
            spring-boot-starter-logging
        
    



    org.springframework.boot
    spring-boot-starter-log4j2
    
        
            org.apache.logging.log4j
            log4j-core
        
        
            org.apache.logging.log4j
            log4j-api
        
        
            org.apache.logging.log4j
            log4j-slf4j-impl
        
        
            org.apache.logging.log4j
            log4j-to-slf4j
        
        
            org.apache.logging.log4j
            log4j-jul
        
    



    org.apache.logging.log4j
    log4j-slf4j-impl
    ${log4j2.version}


    org.apache.logging.log4j
    log4j-api
    ${log4j2.version}


    org.apache.logging.log4j
    log4j-core
    ${log4j2.version}


    org.apache.logging.log4j
    log4j-jul
    ${log4j2.version}


    org.apache.logging.log4j
    log4j-to-slf4j
    ${log4j2.version}

logging升级

待更新。。。