What is the target release date for this cve patch?

@zhoujia1974 The project milestones page shows the planned dates for upcoming releases, including the 2.5.8 release that this issue is scheduled for.

considering the severity of this CVE, could that be moved up? (i know folks can fix it otherwise... but will they?)

We discussed the idea of doing an earlier release but ultimately decided to stick with our existing schedule. The main reason is we manage an awful lot of dependencies and we don’t really want to trigger releases anytime one of them has a CVE. Another factor is the fact that our out-of-the-box setup doesn’t include log4j-core.

We have published a blog post about the vulnerability to help people understand their options. It’s at https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot

totally agree with that in general - but this isn't exactly your average CVE. it certainly helps that it's not the default logging framework, but... still to this layman, it seems patch-worthy. thanks for the details blog post tho! that'll definitely help folks

Will this be backported to Spring Boot 2.4.x? The blog article speaks about just 2.5.x and 2.6.x.

@mauromol Spring Boot 2.4.x is out of OSS support.

Reopening to upgrade to 2.17.0 per CVE-2021-45105.