Helidon and Log4j

This document describes the impact of the recent Log4j CVEs on Helidon 2 applications.

Helidon’s use of Log4j

By default Log4j is not used by Helidon based applications and does not appear on the classpath. However Helidon provides an optional Log4j integration module (helidon-logging-log4) and Helidon manages the version of Log4j. If your application uses helidon-logging-log4, or if your application uses Log4j directly then your application will have declared an explicit dependency on Log4j. But the version of this dependency might be managed by Helidon.

How can I tell if I’m impacted?

You will only be impacted if your application declares a dependency on Log4j or on a component that depends on Log4j (since log4j is an optional dependency of Helidon and Netty it will not be included transitively from those projects). To check if your application includes Log4j inspect the target/libs directory of your Helidon application and see if log4j-*.jar is there.

Actions you can take

If your Helidon application uses Log4j here are some options for upgrading:

A: Upgrade Log4j without upgrading Helidon

If you are using Helidon’s Maven dependency management (which is the default behavior if you created your application from a Helidon example or Quickstart or CLI) then you can override the version of Log4j by adding the following to your project’s pom.xml :

<properties>
    <version.lib.log4j>2.17.0</version.lib.log4j>
</properties>

If you do not use Helidon’s dependency management then you can upgrade the version of Log4j specified in your dependencies. For example:

<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-api</artifactId>
    <version>2.17.0</version>
</dependency>
<dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.17.0</version>
</dependency>

The above examples use version 2.17.0 for illustrative purposes. By the time you read this article newer versions of Log4j might be available.

B: Upgrade to Helidon 2.4.1 or newer

Helidon 2.4.1 upgrades the managed version of Log4j to 2.17.0, therefore upgrading to this release will upgrade the version of Log4j if you use Helidon’s dependency management.

Re-build and verify

After making one of the above changes rebuild your Helidon application and inspect the target/libs directory. Verify that the version of log4j-*-*.jar is 2.17.0 or newer.