Published in


Helidon and Log4j

This document describes the impact of the recent Log4j CVEs on Helidon 2 applications.

Helidon’s use of Log4j

By default Log4j is not used by Helidon based applications and does not appear on the classpath. However Helidon provides an optional Log4j integration module (helidon-logging-log4) and Helidon manages the version of Log4j. If your application uses helidon-logging-log4, or if your application uses Log4j directly then your application will have declared an explicit dependency on Log4j. But the version of this dependency might be managed by Helidon.

How can I tell if I’m impacted?

You will only be impacted if your application declares a dependency on Log4j or on a component that depends on Log4j (since log4j is an optional dependency of Helidon and Netty it will not be included transitively from those projects). To check if your application includes Log4j inspect the target/libs directory of your Helidon application and see if log4j-*.jar is there.

Actions you can take

If your Helidon application uses Log4j here are some options for upgrading:

A: Upgrade Log4j without upgrading Helidon

If you are using Helidon’s Maven dependency management (which is the default behavior if you created your application from a Helidon example or Quickstart or CLI) then you can override the version of Log4j by adding the following to your project’s pom.xml :


If you do not use Helidon’s dependency management then you can upgrade the version of Log4j specified in your dependencies. For example:


The above examples use version 2.17.0 for illustrative purposes. By the time you read this article newer versions of Log4j might be available.

B: Upgrade to Helidon 2.4.1 or newer

Helidon 2.4.1 upgrades the managed version of Log4j to 2.17.0, therefore upgrading to this release will upgrade the version of Log4j if you use Helidon’s dependency management.

Re-build and verify

After making one of the above changes rebuild your Helidon application and inspect the target/libs directory. Verify that the version of log4j-*-*.jar is 2.17.0 or newer.




The official project Helidon blog containing articles from Helidon developers and the developers community. All articles are approved by the Helidon team. Contact @dkornilov to publish your story.

Recommended from Medium

Edge Computing Security: Device Attestation Through A Certificate Hierarchy Approach

All the wrong tools

Asa critical care medicine specialist, I am used to seeing the sickest of the sick.

Activate the Google.com

Whiteboard Interview problems #1: The a^b problem

Log the method execution time using AOP for a spring boot application.

Recursion and The Tower of Hanoi

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joe Di Pol

Joe Di Pol

Software developer at Oracle working on Project Helidon (helidon.io).

More from Medium

Configuring ForgeRock Identity Management (IDM) to use multiple keystores or PKCS12 type keystores

Interaction Framework with Scenarios and Use Cases

Apache hive in 2 hours

Handling Dynamic Objects in CrateDB