[slf4j-dev] Remote code execution vulnerability in log4j 2.x

Ceki Gülcü ceki at qos.ch
Fri Dec 10 10:36:52 CET 2021


Hello all,

You might have heard of a Remote code execution (RCE) vulnerability in 
log4j 2.x, that allows an attacker to execute arbitrary code by 
controlling the contents of a single logged message. While 
vulnerabilities are reported now and then, this vulnerability is totally 
unheard of in its severity.

As for logback, while logback claims to be the successor to log4j 1.x, 
logback is unrelated to log4j 2.x. It does not share code nor 
vulnerabilities with log4j 2.x. More specifically, logback does not 
suffer from aforementioned said RCE vulnerability in any shape or form.

Unfortunately, the vulnerability exists under SLF4J API when log4j 2.x 
is used as the back-end implementation. Given the severity of this 
issue, we  encourage you to consider logback as the preferred back-end 
for SLF4J API.

Also note that logback performs significantly better than log4 2.x.

Please see the benchmark results at:

  http://logback.qos.ch/performance.html

Better yet, run the benchmark yourself.

   https://github.com/ceki/logback-perf

In our opinion, logging libraries need to be reliable first and foremost 
with new features added only with extreme care.

Best regards,

Further references to the RCE vulnerability:

   https://www.lunasec.io/docs/blog/log4j-zero-day/
   https://twitter.com/P0rZ9/status/1468949890571337731
   https://github.com/apache/logging-log4j2/pull/608

--
Ceki Gülcü

Please contact sales at qos.ch for support related to SLF4J or logback 
projects.


More information about the slf4j-dev mailing list