Both, CVE-2021-44228 and CVE-2021-45046 are serious security issues and developers might not even know if there project are effected!
After my last post, some Java developers reached out to me and asked me how to detect an effected version of the Log4j library. Well I’m not a Java Developer but if you are using Gradle or Maven, the following snippets might help you.
Gradle has dependency insight report with dependencyInsight
, and the usage is very simple:
gradle -q dependencyInsight --dependency org.apache.logging.log4j --configuration scm
Please read the documentation, to ensure you use it correctly.
Maven has the Maven Dependency Plugin, what makes it also very simple to get a dependency report:
mvn dependency:tree -Dincludes=org.apache.logging.log4j
Please make sure to read the usage page on the Maven site for how to install and use the Dependency Plugin.
But again: I’m not a Java expert!