Log4j2 Vulnerability and SmallRye

On Thursday (December 9th), a 0-day exploit in the popular Java logging library log4j (version 2) was discovered that results in Remote Code Execution (RCE) by logging a certain string. Please check the following links for additional information on this vulnerability:

If you are using log4j2, or have it available in your runtime we advise you to update it to 2.15.0 as soon as possible.

What does this mean for SmallRye?

SmallRye libraries do not include or use any log4j artifacts in their runtime dependencies. Below you can find a detailed report for each SmallRye dependency (we used the Maven Dependency Plugin to search for possible inclusions):

  • smallrye-async-api

  • smallrye-common

  • smallrye-config

  • smallrye-context-propagation

  • smallrye-converters

  • smallrye-fault-tolerance

  • smallrye-graphql

  • smallrye-health

  • smallrye-jwt

  • smallrye-maven-plugin

  • smallrye-metrics

  • smallrye-mutiny

  • smallrye-mutiny-vertx-bindings

  • smallrye-mutiny-zero

  • smallrye-open-api

  • smallrye-opentelemetry

  • smallrye-opentracing

  • smallrye-parent

  • smallrye-reactive-converters

  • smallrye-reactive-messaging

  • smallrye-safer-annotations

  • smallrye-stork

  • smallrye-testing

The command used was mvn org.apache.maven.plugins:maven-dependency-plugin:2.8:tree -Dincludes=org.apache.logging.log4j::: -Dverbose

We were able to find that smallrye-reactive-messaging-kafka and smallrye-stork-service-discovery-eureka reference log4j2 artifacts, but only in the test scope, so this is not an issue.

Additionally, since all SmallRye projects receive dependabot updates, we can detect any possible updates to log4j2 dependencies with the following Github Report. Indeed, there were two updates sent by dependabot to smallrye-mutiny-vertx-bindings, but these updates target the dependencies of a Maven plugin execution, so again, not an issue for runtime.

Additional Information

Even if SmallRye itself is not directly affected by this vulnerability, the runtime where you are running may be compromised. Check if this is the case and upgrade the log4j2 version.

Feel free to reach out to the SmallRye team if you experience any issue with any of the SmallRye libraries to the SmallRye Mailing List.