Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is Logback also affected by Log4j 0-day vulnerability issue in Spring Boot? [closed]

As I understand it, Logback is written by the same authors. Our applications are using Logback instead. Is there a chance that Logback is also affected by the exploit in Log4j?

This is critical for our organisation.

like image 341
saran3h Avatar asked Dec 13 '21 04:12

saran3h


People also ask

Is Logback affected by log4j?

1. As logback is improved, version log4j and versions log4j2 and logback have no difference in terms of performance or any features. Therefore log4j is the most used logging utility before the logback newer versions were invented.

Is Logback vulnerable to log4j shell?

Only applications using log4j-core and including user input in log messages are vulnerable.

Is Logback classic vulnerability?

Direct Vulnerabilities logback:logback-classic package. This does not include vulnerabilities belonging to this package's dependencies. Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Is SLF4J affected by log4j vulnerability?

As such, using log4j 2. x, even via SLF4J does not mitigate the vulnerability. However, as mentioned already, log4j 1. x is safe with respect to CVE-2021-44228.


1 Answers

From the Spring blog:

Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.

Useful explanation points:

log4j-to-slf4j is an adapter between the Log4j API and SLF4J. It indeed brings log4j-api, but it does not bring log4j-core, so our starter is not affected by this vulnerability.

like image 105
Arun Sai Avatar answered Oct 16 '22 19:10

Arun Sai