[logback-user] Log4j Shell zero day vulnerability - does it affect logback or slf4j

Ceki Gülcü ceki at qos.ch
Mon Dec 13 11:55:45 CET 2021

Hi David,

Logback does NOT offer a lookup mechanism at the message level. So it is 
safe with respect to CVE-2021-44228.

However, we are still looking at other venues for other attacks.

Best regards,

Ceki Gülcü

Please contact sales at qos.ch for support related to SLF4J or logback 

On 12/12/2021 12:00, David Roussel wrote:
> There are two possible interpretations of your question
>   a. Do any similar vulnerabilities exist in logback and slf4j
>   b. Have any similar vulnerabilities been detected and reported in logback and slf4j
> In the case of (a) we don’t know,, since any piece of normal-complexity software can contain vulnerabilities.  In general you can only prove that vulnerabilities exist, not that they don’t exist.  But this is more of a philosophical question.
> In the case of (b); if they had been detected and reported, they would be listed in the various CVE databases, for example:
> - https://security.snyk.io/search?q=logback
> - https://security.snyk.io/search?q=slf4j
> - … and others
> For your particular configuration, and set of transitive dependencies, you need to investigate yourself.
> To see the slf4j statement on the matter from ceki, see: http://www.slf4j.org/log4shell.html

More information about the logback-user mailing list