[logback-user] Log4j Shell zero day vulnerability - does it affect logback or slf4j
Ceki Gülcü
ceki at qos.ch
Mon Dec 13 11:55:45 CET 2021
Hi David,
Logback does NOT offer a lookup mechanism at the message level. So it is
safe with respect to CVE-2021-44228.
However, we are still looking at other venues for other attacks.
Best regards,
--
Ceki Gülcü
Please contact sales at qos.ch for support related to SLF4J or logback
projects.
On 12/12/2021 12:00, David Roussel wrote:
> There are two possible interpretations of your question
>
> a. Do any similar vulnerabilities exist in logback and slf4j
>
> b. Have any similar vulnerabilities been detected and reported in logback and slf4j
>
> In the case of (a) we don’t know,, since any piece of normal-complexity software can contain vulnerabilities. In general you can only prove that vulnerabilities exist, not that they don’t exist. But this is more of a philosophical question.
>
> In the case of (b); if they had been detected and reported, they would be listed in the various CVE databases, for example:
> - https://security.snyk.io/search?q=logback
> - https://security.snyk.io/search?q=slf4j
> - … and others
>
> For your particular configuration, and set of transitive dependencies, you need to investigate yourself.
>
>
> To see the slf4j statement on the matter from ceki, see: http://www.slf4j.org/log4shell.html
>
More information about the logback-user
mailing list