Explicitly set Log4J version for Struts2 as transitive dependency is outdated (CVE-2021-44228)

deki · deki · commit 66e90a1f205f · 2021-12-15T13:51:17.000+01:00
diff --git a/aws-serverless-java-container-struts2/pom.xml b/aws-serverless-java-container-struts2/pom.xml
@@ -16,6 +16,7 @@
 
     <properties>
         <struts2.version>2.5.26</struts2.version>
+        <log4j.version>2.16.0</log4j.version>
     </properties>
 
     <dependencies>
@@ -37,6 +38,18 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <dependency><!-- explicitly set log4j version as struts2-core contains the vulnerable one CVE-2021-44228 -->
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-api</artifactId>
+            <version>${log4j.version}</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency><!-- explicitly set log4j version as struts2-core contains the vulnerable one CVE-2021-44228 -->
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+            <version>${log4j.version}</version>
+            <scope>runtime</scope>
+        </dependency>
 
         <dependency>
             <groupId>org.apache.struts</groupId>
