This document describes the impact of the recent Log4j CVEs on Helidon 2 applications.
Helidon’s use of Log4j
By default Log4j is not used by Helidon based applications and does not appear on the classpath. However Helidon provides an optional Log4j integration module (
helidon-logging-log4) and Helidon manages the version of Log4j. If your application uses
helidon-logging-log4, or if your application uses Log4j directly then your application will have declared an explicit dependency on Log4j. But the version of this dependency might be managed by Helidon.
How can I tell if I’m impacted?
You will only be impacted if your application declares a dependency on Log4j or on a component that depends on Log4j (since log4j is an optional dependency of Helidon and Netty it will not be included transitively from those projects). To check if your application includes Log4j inspect the
target/libs directory of your Helidon application and see if
log4j-*.jar is there.
Actions you can take
If your Helidon application uses Log4j here are some options for upgrading:
A: Upgrade Log4j without upgrading Helidon
If you are using Helidon’s Maven dependency management (which is the default behavior if you created your application from a Helidon example or Quickstart or CLI) then you can override the version of Log4j by adding the following to your project’s
pom.xml. Read the complete article here
For regular information become a member in the Developer Partner Community please register here.