<div dir="ltr">Hello Slf4j community,<div><br></div><div>I'd like to share a happy discovery about the well-known "Log4shell" vulnerability on Log4j2.  Apps that use Slf4j with Log4j2 backing (and which don't otherwise call Log4j2 directly) can be mitigated by log4j2.formatMsgNoLookups=true</div><div><br></div><div><a href="https://lists.apache.org/thread/kgh63sncrsm2bls884pg87mnt8vqztmz">https://lists.apache.org/thread/kgh63sncrsm2bls884pg87mnt8vqztmz</a><br></div><div><br></div><div>As I write this (with Ralph having yet to respond to my follow-up), it's not really some final determination but it's highly encouraging.</div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">~ David Smiley<div>Apache Lucene/Solr Search Developer</div><div><a href="http://www.linkedin.com/in/davidwsmiley" target="_blank">http://www.linkedin.com/in/davidwsmiley</a></div></div></div></div></div></div>