[slf4j-user] Slf4j shields from Log4shell via log4j2.formatMsgNoLookups=true
Ceki Gülcü
ceki at qos.ch
Mon Dec 27 14:26:25 CET 2021
Hi David,
Thank you for your sharing this information.
--
Ceki Gülcü
Please contact suppport(at)qos.ch for donations, sponsorship or support
contracts related to SLF4J or logback projects.
On 22/12/2021 22:24, David Smiley wrote:
> Hello Slf4j community,
>
> I'd like to share a happy discovery about the well-known "Log4shell"
> vulnerability on Log4j2. Apps that use Slf4j with Log4j2 backing (and
> which don't otherwise call Log4j2 directly) can be mitigated
> by log4j2.formatMsgNoLookups=true
>
> https://lists.apache.org/thread/kgh63sncrsm2bls884pg87mnt8vqztmz
> <https://lists.apache.org/thread/kgh63sncrsm2bls884pg87mnt8vqztmz>
>
> As I write this (with Ralph having yet to respond to my follow-up), it's
> not really some final determination but it's highly encouraging.
>
> ~ David Smiley
> Apache Lucene/Solr Search Developer
> http://www.linkedin.com/in/davidwsmiley
> <http://www.linkedin.com/in/davidwsmiley>
More information about the slf4j-user
mailing list