--- title: 'Log4j 安全性問題' disqus: hackmd --- ###### tags: `SpringBoot` Log4j 安全性問題 === [TOC] 針對spring boot 2.5.3版本的專案去看這件事情 應該要改成這個版本 ``` <properties> <log4j2.version>2.15.0</log4j2.version> </properties> ``` [官方連結漏洞如何更改](https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot)  在pom.xml這個位置新增 ``` <log4j2.version>2.15.0</log4j2.version> ```  之後回到這裡，就可以看出變成2.15版本了  ## 有許多專案都是使用slfj這個版本 ```java= import org.slf4j.Logger; import org.slf4j.LoggerFactory; ``` When using starters, Logback is used for logging by default. 而logback 並沒有安全性問題，所以使用logback的兩個系統 AI優化觀察名單還有王協理的年度預算查詢都是**不需要**做出更改的 ## 後來發現不需要做更改 BudgetOrderSystem, ```java= private static final Logger logger = Logger.getLogger(AccountBudgetManagementApiController.class); ``` ## BudgetOrdersystem ```xml= <!-- ESAPI --> <dependency> <groupId>org.owasp.esapi</groupId> <artifactId>esapi</artifactId> <version>2.0.1</version> <exclusions> <exclusion> <groupId>commons-logging</groupId> <artifactId>commons-logging</artifactId> </exclusion> <exclusion> <groupId>log4j</groupId> <artifactId>log4j</artifactId> </exclusion> <exclusion> <groupId>commons-configuration</groupId> <artifactId>commons-configuration</artifactId> </exclusion> </exclusions> </dependency> <!-- Code Generation Library --> ``` ```xml= <!-- slf4j on log4j --> <dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> <version>1.7.32</version> </dependency> <!-- bridge between commons logging and slf4j --> <dependency> <groupId>org.slf4j</groupId> <artifactId>jcl-over-slf4j</artifactId> <version>1.7.32</version> </dependency> ```