[slf4j-user] Slf4j shields from Log4shell via log4j2.formatMsgNoLookups=true

Ceki Gülcü ceki at qos.ch
Mon Dec 27 14:26:25 CET 2021


Hi David,

Thank you for your sharing this information.
-- 
Ceki Gülcü

Please contact suppport(at)qos.ch for donations, sponsorship or support 
contracts related to SLF4J or logback projects.

On 22/12/2021 22:24, David Smiley wrote:
> Hello Slf4j community,
> 
> I'd like to share a happy discovery about the well-known "Log4shell" 
> vulnerability on Log4j2.  Apps that use Slf4j with Log4j2 backing (and 
> which don't otherwise call Log4j2 directly) can be mitigated 
> by log4j2.formatMsgNoLookups=true
> 
> https://lists.apache.org/thread/kgh63sncrsm2bls884pg87mnt8vqztmz 
> <https://lists.apache.org/thread/kgh63sncrsm2bls884pg87mnt8vqztmz>
> 
> As I write this (with Ralph having yet to respond to my follow-up), it's 
> not really some final determination but it's highly encouraging.
> 
> ~ David Smiley
> Apache Lucene/Solr Search Developer
> http://www.linkedin.com/in/davidwsmiley 
> <http://www.linkedin.com/in/davidwsmiley>


More information about the slf4j-user mailing list