[logback-dev] Remote code execution vulnerability in log4j 2.x
Ceki Gülcü
ceki at qos.ch
Fri Dec 10 10:36:58 CET 2021
Hello all,
You might have heard of a Remote code execution (RCE) vulnerability in
log4j 2.x, that allows an attacker to execute arbitrary code by
controlling the contents of a single logged message. While
vulnerabilities are reported now and then, this vulnerability is totally
unheard of in its severity.
As for logback, while logback claims to be the successor to log4j 1.x,
logback is unrelated to log4j 2.x. It does not share code nor
vulnerabilities with log4j 2.x. More specifically, logback does not
suffer from aforementioned said RCE vulnerability in any shape or form.
Unfortunately, the vulnerability exists under SLF4J API when log4j 2.x
is used as the back-end implementation. Given the severity of this
issue, we encourage you to consider logback as the preferred back-end
for SLF4J API.
Also note that logback performs significantly better than log4 2.x.
Please see the benchmark results at:
http://logback.qos.ch/performance.html
Better yet, run the benchmark yourself.
https://github.com/ceki/logback-perf
In our opinion, logging libraries need to be reliable first and foremost
with new features added only with extreme care.
Best regards,
Further references to the RCE vulnerability:
https://www.lunasec.io/docs/blog/log4j-zero-day/
https://twitter.com/P0rZ9/status/1468949890571337731
https://github.com/apache/logging-log4j2/pull/608
--
Ceki Gülcü
Please contact sales at qos.ch for support related to SLF4J or logback
projects.
More information about the logback-dev
mailing list