Spring boot parent log4j2 update - vulnerability fix

Question

Trying to update log4j2 for legacy spring boot application (using Spring-boot-parent-1.5.6.RELEASE) - using multi module
Tried all the ways spring suggested in recent docs but none of them worked.
Options tried:
option 1 - Adding to properties

 <properties>
    <log4j2.version>2.17.0</log4j2.version>
</properties>

option 2 - adding starter-log4j2 and excluding core, later adding log4j core (latest)

<dependency>
   <groupid>org.springframework.boot</groupid>
   <artifactid>spring-boot-starter-log4j2</artifactid>
   <version>2.6.1</version>
   <exclusions>
     <exclusion>
       <groupid>org.apache.logging.log4j</groupid>
       <artifactid>log4j-core</artifactid>
     </exclusion>
   </exclusions>
</dependency>
<dependency>
   <groupid>org.apache.logging.log4j</groupid>
   <artifactid>log4j-core</artifactid>
   <version>2.15.0</version>
</dependency>

option 3 - just the above one along with log4j2 api

<dependency>
 <groupid>org.springframework.boot</groupid>
 <artifactid>spring-boot-starter-log4j2</artifactid>
 <exclusions>
 <exclusion>
 <groupid>org.apache.logging.log4j</groupid>
 <artifactid>log4j-core</artifactid>
 </exclusion>
 </exclusions>
</dependency>
<dependency>
 <groupid>org.apache.logging.log4j</groupid>
 <artifactid>log4j-api</artifactid>
 <version>2.16.0</version>
</dependency>
<dependency>
 <groupid>org.apache.logging.log4j</groupid>
 <artifactid>log4j-core</artifactid>
 <version>2.16.0</version>
</dependency>

But still the dependencies imported were slf4j-over-log4j(1.7.25), log4j(2.7, 2.11.1). Is there something else i could do.

Answer 1

Option 1 should work.

1. Build your project using mvn clean install
2. Check the contents of your jar file: go to your_project/target directory and run jar tf your-project.jarcommand. There should be only log4j-core-2.17.0.jar and no other versions of log4j-core

Edit: also update log4j-core version in your child modules