How to Quickly Upgrade Log4j2 to 2.16.0 in Spring Boot Projects

Log4j2's critical vulnerability has forced many internet companies to upgrade; the recommended version is 2.16.0. This article shows a simple Maven configuration that upgrades all Log4j2 packages in a Spring Boot project.

Using the following minimal configuration, you can upgrade Log4j2:

If this method fails, reload after adding the configuration. For non‑Spring Boot projects or other ways of including Log4j2, add the Log4j2 dependency with version 2.16.0 in the root dependencies to force an override.

Step‑by‑Step Understanding Why

First step : Examine your pom.xml and notice many dependencies (including non‑Spring Boot starters) lack a version tag.

Since the version is not specified, it is inherited from the parent POM.

Second step : Look into the spring-boot-starter-parent content.

Inside you will see an xml configuration mainly related to build, not dependency information.

Third step : Continue inspecting spring-boot-starter-parent; it itself has a parent spring-boot-dependencies.

In this file you can see the version parameters for each component under the current Spring Boot version.

Search for log4j2 and you will find the default version is 2.14.1:

Further down, under the dependencyManagement node, each dependency’s version is defined by referencing the above properties:

Therefore, by adding the appropriate properties entries to your own Spring Boot project, you can override the parent’s properties and upgrade the Log4j2 version to 2.16.0.