[logback-dev] Security Fix - logback 1.2.9 and 1.3.0-alpha11

Ceki Gülcü ceki at qos.ch
Fri Dec 17 03:49:06 CET 2021


Hello all,

Since the publication of log4shell attack, a vulnerability of lesser 
importance has been reported against logback, namely CVE-2021-42550.

   See https://cve.report/CVE-2021-42550  for a description.
   See https://github.com/cn-panda/logbackRceDemo for a demo of the
   attack.

In response, we have made several changes in logback components as to 
harden them. We have also dropped Groovy configuration support with no 
replacement.

Please refer to the news page for more details.

   http://logback.qos.ch/news.html

Even if the vulnerability found in logback is less threatening, we 
highly recommend that you upgrade to logback version 1.2.9 if you are on 
the 1.2.x series and to version 1.3.0-alpha11 if you are already on 
1.3.x series.

Best regards,

-- 
Ceki Gülcü

Please contact suppport(at)qos.ch for donations, sponsorship or support 
contracts related to SLF4J or logback projects.


More information about the logback-dev mailing list