How to remove/exclude Log4j during maven build?

Question

Hi due to the vulnerability issue in log4j version 2.10 or higher, we need to remove the said jar file in one of our application. I have tried this in my pom.xml but encountered some error. I don't have much experience in building maven projects :(

 <?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-parent</artifactId>
        <version>2.0.3.RELEASE</version>
        <relativePath /> <!-- lookup parent from repository -->
    </parent>
    <name>assistant</name>
    <description>Assistant</description>
    
    <groupId>com.assistant</groupId>
    <artifactId>assistant</artifactId>
    <packaging>war</packaging>
    <version>2.0.2</version>

    <properties>
        <java.version>1.8</java.version>
    </properties>

    <dependencies>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-thymeleaf</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-web</artifactId>
        </dependency>

        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-tomcat</artifactId>
            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.data</groupId>
            <artifactId>spring-data-solr</artifactId>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-devtools</artifactId>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.springframework.boot</groupId>
            <artifactId>spring-boot-starter-test</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.webjars</groupId>
            <artifactId>bootstrap</artifactId>
            <version>4.3.1</version>
        </dependency>
        <dependency>
            <groupId>org.webjars</groupId>
            <artifactId>jquery</artifactId>
            <version>3.3.1</version>
        </dependency>
        <dependency>
            <groupId>org.webjars</groupId>
            <artifactId>font-awesome</artifactId>
            <version>5.7.2</version>
        </dependency>
        <dependency>
            <groupId>javax.el</groupId>
            <artifactId>javax.el-api</artifactId>
            <version>3.0.0</version>
        </dependency>

        <!-- WORDPRESS DEPENDENCIES START-->
        <dependency>
            <groupId>org.kamranzafar.spring.wpapi</groupId>
            <artifactId>spring-wpapi-client</artifactId>
            <version>0.1</version>
        </dependency>
        <!-- WORDPRESS DEPENDENCIES END -->
        
         
    </dependencies>
    
    

    <build>
        <plugins>
            <plugin>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-maven-plugin</artifactId>
                 <configuration>
                    <excludes>
                        <exclude>
                            <groupId>log4j</groupId>
                            <artifactId>log4j</artifactId>
                        </exclude>
                    </excludes>
                </configuration>
            </plugin>
        </plugins>
        
    </build>

</project>

and this is the error in the marker

Really appreciate your helps

Answer 1

first a little overview on log4j recent vulnerabilities.

• Log4J 2.15.0 has the critical vulnerability CVE-2021-44228 (remote code execution)
• Log4J 2.16.0 has the critical vulnerability CVE-2021-44228 (remote code execution)
• Log4J 2.16.0 has also the vulnerability CVE-2021-45105 (DoS vulnerability)
• EDIT : There is CVE-2021-44832 vulnerability on log4j-api-2.17.0 and CVE-2021-44832 vulnerability on log4j-to-slf4j-2.17.0. But this 2 vulnerabilities are not critical. It is still recommended to upgrade to 2.17.1

It is recommended you upgrade to version 2.17.0 or later.

This version (2.17.0) contains security fixes for the two remote code execution vulnerabilities, the latest DoS vulnerability.

You are using the spring-boot-starter-web. So a nice way to upgrade to log4j 2.17.1 is via spring boot dependency managment. Just override the log4j version in the pom.xml properties section (no need to do anything in plugin or dependencies section):

 <properties>
        <java.version>1.8</java.version>
        <log4j2.version>2.17.1</log4j2.version>
 </properties>

https://snyk.io/blog/log4j-2-15-vulnerability-cve-2021-45046-critical-ace/

---

If you really want to just exclude log4j dependency (so you probably won't loose all your loging fonctionnalities unless you replace log4j by another logging framework) :

1. execute maven commande mvn dependency:tree

2. This will display maven dependency hierarchie. So you just need to exclude dependencies you don't want. For exemple :

     <dependencies>
       ...
       <dependency>
           <groupId>org.springframework.boot</groupId>
           <artifactId>spring-boot-starter</artifactId>
           <exclusions>
               <exclusion>
                   <artifactId>log4j-to-slf4j</artifactId>
                   <groupId>org.apache.logging.log4j</groupId>
               </exclusion>
           </exclusions>
       </dependency>
       ...
   
   </dependencies>