Shulou(Shulou.com)06/02 Report--

This article mainly talks about "how to fix the log4j2 nuclear bomb loophole in Spring Boot project". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to fix the log4j2 nuclear bomb loophole in the Spring Boot project.

The simplest repair mode

Some friends actually thought of solving the problem directly through Spring Boot's Starter, so they also mentioned Issue to Spring Boot, hoping that spring-boot-starter-log4j2 can support the latest version 2.15 (it was still rc1 when Issue was mentioned, but now it is already release).

However, if you are familiar with the version mechanism of Spring Boot components, in fact, this does not need to be specifically distributed. You only need to add a simple configuration, as shown below:

Yes, it's that simple. You just need to configure it in pom.xml like the following:

2.15.0 postscript

I don't know if you have found that the things that have affected our Spring Boot applications recently because of vulnerabilities are not the original Spring Boot.

For example: this time, Log4j2 is not the logging component used by Spring Boot by default, but Spring Boot uses Logback by default. So the friends who didn't change the log component this time were watching in the group yesterday.

Before that, most of the serious vulnerabilities were caused by another third-party component. I'm sure you can guess who it is, right?

That's right, it's Fastjson.

Spring Boot's default JSON string serialization and deserialization tool is Jackson, not Fastjson. But I don't know when the Fastjson solution began to be popular (I remember the beginning of the XML configuration era, perhaps because of performance considerations? ).

Recently, the DD side still uses the original components, so it does not encounter these problems, and it is quite comfortable. Therefore, in the end, it is recommended that if you do not encounter any special performance requirements, or other original components can not complete the task, and then use other solutions to replace the default solution, this will be more stable. After all, in addition to the official Spring, the whole ecology is also the most widely used, and they can stand the test.

At this point, I believe you have a deeper understanding of "how to fix the log4j2 nuclear bomb loophole in the Spring Boot project". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.