[logback-user] Log4j Shell zero day vulnerability - does it affect logback or slf4j

[David Roussel]

There are two possible interpretations of your question

 a. Do any similar vulnerabilities exist in logback and slf4j

 b. Have any similar vulnerabilities been detected and reported in logback and slf4j

In the case of (a) we don’t know,, since any piece of normal-complexity software can contain vulnerabilities.  In general you can only prove that vulnerabilities exist, not that they don’t exist.  But this is more of a philosophical question.

In the case of (b); if they had been detected and reported, they would be listed in the various CVE databases, for example:
- https://security.snyk.io/search?q=logback
- https://security.snyk.io/search?q=slf4j
- … and others

For your particular configuration, and set of transitive dependencies, you need to investigate yourself.


To see the slf4j statement on the matter from ceki, see: http://www.slf4j.org/log4shell.html