1. 首页
  2. 问题列表
  3. 如何修复Gradle项目中的Log4J漏洞
提问者:小点点

如何修复Gradle项目中的Log4J漏洞


我可以在我的项目的Gradle依赖树中看到org.apache.logging.log4j: log4j-core: 2.14.0库。

我们没有从外部添加log4j版本。这个版本是作为其他jar或spring-bootstarter的可传递依赖的一部分而来的。

如何在Gradle中覆盖log4j版本?


共3个答案

匿名用户

首先,找出您真正在使用的log4j相关的库,例如

 .\gradlew dependencies --configuration=testRuntimeClasspath | find "log4j"

然后用当前版本覆盖它们,如so (docs),放在< code>dependencies块之后:

configurations.all {
    resolutionStrategy {
        force 'org.apache.logging.log4j:log4j-api:2.17.0'
        force 'org.apache.logging.log4j:log4j-core:2.17.0'
        force 'org.apache.logging.log4j:log4j-slf4j-impl:2.17.0'
        force 'org.apache.logging.log4j:log4j-jul:2.17.0'
    }
}

根据开头检查的结果,您可能需要向该块添加更多/更少的库。

由于您使用的是Spring Boot,因此还可以使用Spring Boot特定功能来设置Log4J版本:

ext['log4j2.version'] = '2.17.0'

匿名用户

我在MacOS上并使用子项目:

首先我运行:./gradlew项目,它将列出我的子项目:

输出:

:projects

------------------------------------------------------------
Root project
------------------------------------------------------------

Root project 'test-backend'
+--- Project ':test-suite'
+--- Project ':test-suite-services'
\--- Project ':test-utils'

使用输出,我们可以逐个检查依赖性:

./gradlew test-suite:dependencies | grep "log4j"
./gradlew test-suite-services:dependencies | grep "log4j"
./gradlew test-utils:dependencies | grep "log4j"

匿名用户

  • 首选https://docs.gradle.org/current/userguide/resolution_rules.html约束。
  • https://docs.gradle.org/current/userguide/rich_versions.html#rich-version-constraints
  • https://blog.gradle.org/log4j-vulnerability
dependencies {
    constraints {
        implementation('org.apache.logging.log4j:log4j-api') {
            version {
                strictly('[2.17, 3[')
                prefer('2.17.0')
            }
            because('CVE-2021-44228, CVE-2021-45046, CVE-2021-45105: Log4j vulnerable to remote code execution and other critical security vulnerabilities')
        }

        implementation('org.apache.logging.log4j:log4j-core') {
            version {
                strictly('[2.17, 3[')
                prefer('2.17.0')
            }
            because('CVE-2021-44228, CVE-2021-45046, CVE-2021-45105: Log4j vulnerable to remote code execution and other critical security vulnerabilities')
        }

        implementation('org.apache.logging.log4j:log4j-slf4j-impl') {
            version {
                strictly('[2.17, 3[')
                prefer('2.17.0')
            }
            because('CVE-2021-44228, CVE-2021-45046, CVE-2021-45105: Log4j vulnerable to remote code execution and other critical security vulnerabilities')
        }

        implementation('org.apache.logging.log4j:log4j-web') {
            version {
                strictly('[2.17, 3[')
                prefer('2.17.0')
            }
            because('CVE-2021-44228, CVE-2021-45046, CVE-2021-45105: Log4j vulnerable to remote code execution and other critical security vulnerabilities')
        }
    }
}

相关问题



热门标签
Java JavaScript Python PHP C# Android Html jQuery C++ Css IOS MySQL NodeJS