Log4j2 0day漏洞修复方法,该方法是从项目级别进行组件替换,解决组件深度依赖的问题。
1、POM高版本log4j包引入
官方已经发布到2.16.0版本
<!--log4j 0day 漏洞修复 手动引入高版本-->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>2.16.0</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-to-slf4j</artifactId>
<version>2.16.0</version>
</dependency>
2、引入maven-enforcer-plugin插件检测和替换
<!--log4j 0day 漏洞修复 项目打包检查-->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.0.0-M3</version>
<executions>
<execution>
<id>enforce-banned-dependencies</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<bannedDependencies>
<excludes>
<exclude>org.apache.logging.log4j:log4j-api</exclude>
<exclude>org.apache.logging.log4j:log4j-to-slf4j</exclude>
</excludes>
<includes>
<include>org.apache.logging.log4j:log4j-api:2.16.0:jar</include>
<include>org.apache.logging.log4j:log4j-to-slf4j:2.16.0:jar</include>
</includes>
</bannedDependencies>
</rules>
<fail>true</fail>
</configuration>
</execution>
</executions>
</plugin>
参考资料
-
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-to-slf4j/2.16.0
-
https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-api