What's the difference between slf4j-log4j12 and log4j-over-slf4j and when should each be used?
<dependency> <groupId>org.slf4j</groupId> <artifactId>slf4j-log4j12</artifactId> <version>1.7.12</version> </dependency> <dependency> <groupId>org.slf4j</groupId> <artifactId>log4j-over-slf4j</artifactId> <version>1.7.12</version> </dependency>
Thus, if your SLF4J provider/binding is slf4j-log4j12. jar, you are safe regarding CVE-2021-44228. If you are using log4j-over-slf4j. jar in conjunction with the SLF4J API, you are safe unless the underlying implementation is log4j 2.
slf4j-log4j12 provides a bridge between SLF4J and Log4j 1.2 so that SLF4J knows about how to log using Log4j. You are using Log4j 1.2. That version's binding it is maintained by the SLF4J project. Here is a summary from the SLF4J docs: SLF4J supports various logging frameworks.
SLF4J ship with a module called log4j-over-slf4j. It allows log4j users to migrate existing applications to SLF4J without changing a single line of code but simply by replacing the log4j. jar file with log4j-over-slf4j.
As mentioned previously, SLF4J supports various logging frameworks. The SLF4J distribution ships with several jar files referred to as "SLF4J bindings", with each binding corresponding to a supported framework. Binding/provider for log4j version 1.2, a widely used logging framework.
log4j-over-slf4j
Use this if your code or some libraries you are using uses Log4j directly, but you want to use a different SLF4J binding than Log4j. It will route the Log4j API calls to SLF4J to the binding you choose. You need to remove the Log4j library from your classpath and replace it with this dependency.
slf4j-log4j12
Use this if you want to use the Log4j 1.2 binding for SLF4J.
You shouldn't use both of these libraries at the same time.
Please note also that Log4j 2 has been released.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With