diff --git a/kork-artifacts/kork-artifacts.gradle b/kork-artifacts/kork-artifacts.gradle
index 9a12ae570..7efbb1594 100644
--- a/kork-artifacts/kork-artifacts.gradle
+++ b/kork-artifacts/kork-artifacts.gradle
@@ -14,7 +14,6 @@ dependencies {
   implementation "org.springframework.boot:spring-boot-autoconfigure"
   implementation "org.springframework.security:spring-security-core"
   implementation 'org.apache.logging.log4j:log4j-api'
-  implementation 'org.apache.logging.log4j:log4j-core'
   api "com.hubspot.jinjava:jinjava"
 
   testImplementation "org.assertj:assertj-core"
diff --git a/kork-core/kork-core.gradle b/kork-core/kork-core.gradle
index ed6e91f18..064452767 100644
--- a/kork-core/kork-core.gradle
+++ b/kork-core/kork-core.gradle
@@ -18,6 +18,7 @@ dependencies {
   api "io.github.resilience4j:resilience4j-retry"
   api "io.github.resilience4j:resilience4j-spring-boot2"
 
+  implementation "org.apache.logging.log4j:log4j-api"
   implementation "com.fasterxml.jackson.core:jackson-annotations"
   implementation "com.fasterxml.jackson.core:jackson-databind"
   implementation "com.netflix.spectator:spectator-ext-gc"
diff --git a/kork-credentials/kork-credentials.gradle b/kork-credentials/kork-credentials.gradle
index 1901bd0c0..0e7a3458d 100644
--- a/kork-credentials/kork-credentials.gradle
+++ b/kork-credentials/kork-credentials.gradle
@@ -21,6 +21,7 @@ dependencies {
   api project(":kork-credentials-api")
   api project(":kork-annotations")
   implementation(platform(project(":spinnaker-dependencies")))
+  implementation 'org.apache.logging.log4j:log4j-api'
   implementation "org.springframework.boot:spring-boot"
   implementation 'org.springframework.boot:spring-boot-starter-json'
   implementation 'javax.annotation:javax.annotation-api'
diff --git a/kork-secrets/kork-secrets.gradle b/kork-secrets/kork-secrets.gradle
index 84d149213..e926a4799 100644
--- a/kork-secrets/kork-secrets.gradle
+++ b/kork-secrets/kork-secrets.gradle
@@ -14,6 +14,7 @@ dependencies {
   implementation "org.yaml:snakeyaml"
   implementation "com.google.guava:guava"
   implementation "org.apache.commons:commons-lang3"
+  implementation "org.apache.logging.log4j:log4j-api"
 
   testImplementation "com.hubspot.jinjava:jinjava"
   testImplementation "org.spockframework:spock-core"
diff --git a/kork-security/kork-security.gradle b/kork-security/kork-security.gradle
index 336ea06af..3ef147dd6 100644
--- a/kork-security/kork-security.gradle
+++ b/kork-security/kork-security.gradle
@@ -11,6 +11,7 @@ dependencies {
   api "com.fasterxml.jackson.core:jackson-annotations"
 
   implementation "com.google.guava:guava"
+  implementation "org.apache.logging.log4j:log4j-api"
   implementation "org.slf4j:slf4j-api"
 
   testImplementation "org.spockframework:spock-core"
diff --git a/spinnaker-dependencies/spinnaker-dependencies.gradle b/spinnaker-dependencies/spinnaker-dependencies.gradle
index ab8fe695b..37eaa1796 100644
--- a/spinnaker-dependencies/spinnaker-dependencies.gradle
+++ b/spinnaker-dependencies/spinnaker-dependencies.gradle
@@ -57,8 +57,8 @@ dependencies {
    */
    // Log4shell safeguard.  Per analysis, log4j-core is not included in dependencies, but this would prevent transitive inclusion of it by extension
    // platforms.   Doing 2.16.0 which completely removes message lookups AND sets jndi to disabled by default
-
-  api(platform("org.apache.logging.log4j:log4j-bom:2.16.0"))
+   // 2.16.0 is subject to CVE-2021-45105.  2.17.0 is subject to CVE-2021-44832, so use >= 2.17.1.
+  api(platform("org.apache.logging.log4j:log4j-bom:2.20.0"))
 
   //Upgrade of spring boot 2.5.x brings groovy 3.x as transitive dependency.
   //To avoid transitive upgrade of groovy, pinning it with enforcedPlatform() closure.