How to check my application is vulnerable?

For your application to be vulnerable log4j-core has to be in your classpath.

The vulnerability is only present in log4j-core 2.14.1 and earlier versions.

For Maven projects:

./mvnw dependency:list | grep log4j

For Gradle:

./gradlew dependencies | grep log4j

Once you grep the console output, check whether log4j-core is present in your dependencies list. You can ignore log4j-to-slf4j and log4j-api dependencies in your grep output as these two were included by the spring-boot-starter-logging and cannot be exploited on their own. Only applications that include log4j-core and accept user input to format log messages are vulnerable.

Fixes

If your application is vulnerable consider one of the following fixes.

• Upgrade log4j to 2.15.0 or newer
• Remove org.apache.logging.log4j.core.lookupJndiLookup class from the classpath
• Switch to SLF4J