[logback-user] SECURITY FIX - Release of logback version 1.2.8 with security Fixes
ceki at qos.ch
Tue Dec 14 13:38:22 CET 2021
== Includes security fixes ====
In the wake of CVE-2021-44228, a serialization related
vulnerability has been reported which affects logback.
In response to this vulnerability we have disabled all JNDI
lookup code in logback until further notice. This impacts
ContextJNDISelector and <insertFromJNDI> element in configuration
We have also removed all database (JDBC) related code in the
project with no replacement.
We note that the vulnerability mentioned in LOGBACK-1591 
requires write access to logback's configuration file as a
prerequisite. An demo of the vulnerability can be found at .
We urge you to upgrade to logback 1.2.8 as soon as possible.
A release on the 1.3.x branch will follow shorty.
As an additional precautionary measure, we also recommend users
to set their configuration files as read-only.
Please contact sales(at)qos.ch for support related to SLF4J or
More information about the logback-user