Updating the log4J2 nuke-level vulnerability that has recently engulfed most Internet companies has been the focus of the past two weeks. For what version to upgrade to, the latest version, 2.16.0, is the best choice. So how to quickly upgrade, before also given the Spring Boot project upgrade version of the simplest method.

With this simple configuration, you can upgrade all the log4j2 packages.

If this method does not work, be sure to reload the configuration. In addition, if you are not a Spring Boot project or have log4j2 imported in some other way, you may need to handle this separately, or in your project’s root dependency, simply write the log4j2 dependency and set the version to 2.16.0 to override the version imported elsewhere. With excellent people together, their own will slowly become excellent! Welcome to join the high quality technical exchange group.

The configuration above is very simple, but some readers are still wondering why this is ok:

So, today specific to everyone to say the principle of this configuration.

Step by step to understand why

I’ll walk you through this configuration step by step, reading code to find the source. In addition to knowing why the question is, I hope this article will help you learn how to explore the question for yourself.

Step 1: Take a look at your POM.xml. Do you see that many dependencies, including those of non-Spring Boot Starter, do not write version?

Since you can run without version, there must be somewhere to define it! Switching the focus to parent, it seems that version is here!

Step 2: Take a closer look at spring-boot-starter-parent

When you enter, you can see an XML configuration like the one below, which mainly contains build-related rather than dependency information.

Step 3: The spring-boot-starter-parent file also has a parent. Take a closer look at spring-boot-Dependencies:

After entering the Spring Boot version, we can see the main point, the version parameters of each component under the Spring Boot version are here:

If you search log4j2, you can see that 2.14.1 is used by default in this version:

Searching further, under the dependencyManagement node, you can see that the version definition of each dependency refers to the properties configured above:

So when we configure the properties in our Spring Boot, we can override the properties in parent and update the version.

Ok, have you got today’s little knowledge? If you have trouble learning? You can join our super high quality Spring technology communication group, together with excellent people, you will gradually become excellent! More Spring Boot tutorials can be clicked direct! , welcome to collect and forward support!

Welcome to pay attention to my public account: program ape DD, share the outside can not see the dry goods and thinking!