As I understand it, Logback is written by the same authors. Our applications are using Logback instead. Is there a chance that Logback is also affected by the exploit in Log4j?
This is critical for our organisation.
1. As logback is improved, version log4j and versions log4j2 and logback have no difference in terms of performance or any features. Therefore log4j is the most used logging utility before the logback newer versions were invented.
Only applications using log4j-core and including user input in log messages are vulnerable.
Direct Vulnerabilities logback:logback-classic package. This does not include vulnerabilities belonging to this package's dependencies. Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
As such, using log4j 2. x, even via SLF4J does not mitigate the vulnerability. However, as mentioned already, log4j 1. x is safe with respect to CVE-2021-44228.
From the Spring blog:
Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The
log4j-to-slf4j
andlog4j-api
jars that we include inspring-boot-starter-logging
cannot be exploited on their own. Only applications usinglog4j-core
and including user input in log messages are vulnerable.
Useful explanation points:
log4j-to-slf4j
is an adapter between the Log4j API and SLF4J. It indeed brings log4j-api
, but it does not bring log4j-core
, so our starter is not affected by this vulnerability.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With