banning-log4j2.pom.xml

<!-- plug-in configuration to put into your parent POM for avoiding any usages of
     outdated log4j2 versions, some of which are subject to the RCE CVE-2021-44228
     ("Log4Shell"), CVE-2021-45046, and CVE-2021-45105. Make sure to check for the
     latest version of log4j2 at
     https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core -->
...
<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-enforcer-plugin</artifactId>
  <version>3.0.0</version>
  <executions>
    <execution>
      <id>ban-bad-log4j-versions</id>
      <phase>validate</phase>
      <goals>
        <goal>enforce</goal>
      </goals>
      <configuration>
        <rules>
          <bannedDependencies>
            <excludes>
              <exclude>org.apache.logging.log4j:log4j-core:(,2.17.0)</exclude>
            </excludes>
          </bannedDependencies>
        </rules>
        <fail>true</fail>
      </configuration>
    </execution>
  </executions>
</plugin>
...

@gunnarmorling
Thank you for the snippet.
You might want to update your snippet to exclude 2.16.0 as well ? Apache has released 2.17.0 , as new CVE is disclosed overnight by Apache CVE-2021-45105,Fixed in Log4j 2.17.0

Updated to 2.17.0.

@gunnarmorling I can only get this to work if I use brackets instead of parenthesis, i.e.

<exclude>org.apache.logging.log4j:log4j-core:[,2.16.0]</exclude>

instead of

<exclude>org.apache.logging.log4j:log4j-core:(,2.16.0)</exclude>

The documentation at https://maven.apache.org/enforcer/enforcer-rules/bannedDependencies.html also seems to indicate that without being completely explicit

You might want to update your snippet to exclude 2.17.0 as well ? Apache has released 2.17.1 , as new CVE is disclosed by Apache CVE-2021-44832,Fixed in Log4j 2.17.1
https://logging.apache.org/log4j/2.x/security.html

Adding to what @vegegoku reference posted:

Here is a link which might be helpful for Gradle projects
https://blog.gradle.org/log4j-vulnerability