[logback-dev] SECURITY FIX - Release of logback version 1.2.8 with security Fixes

Ceki Gülcü ceki at qos.ch
Tue Dec 14 13:38:20 CET 2021


== Includes security fixes ====

Hello all,

In the wake of CVE-2021-44228, a serialization related
vulnerability has been reported which affects logback.

In response to this vulnerability we have disabled all JNDI
lookup code in logback until further notice. This impacts
ContextJNDISelector and <insertFromJNDI> element in configuration
files.

We have also removed all database (JDBC) related code in the
project with no replacement.

We note that the vulnerability mentioned in LOGBACK-1591 [1]
requires write access to logback's configuration file as a
prerequisite. An demo of the vulnerability can be found at [2].

We urge you to upgrade to logback 1.2.8 as soon as possible.

A release on the 1.3.x branch will follow shorty.

As an additional precautionary measure, we also recommend users
to set their configuration files as read-only.

Best regards,

[1] https://jira.qos.ch/browse/LOGBACK-1591
[2] https://github.com/cn-panda/logbackRceDemo


-- 
Ceki Gülcü

Please contact sales(at)qos.ch for support related to SLF4J or
logback projects.


More information about the logback-dev mailing list