42

As I understand it, Logback is written by the same authors. Our applications are using Logback instead. Is there a chance that Logback is also affected by the exploit in Log4j?

This is critical for our organisation.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
saran3h
  • 12,353
  • 4
  • 42
  • 54

1 Answers1

40

From the Spring blog:

Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.

Useful explanation points:

log4j-to-slf4j is an adapter between the Log4j API and SLF4J. It indeed brings log4j-api, but it does not bring log4j-core, so our starter is not affected by this vulnerability.

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Arun Sai Mustyala
  • 1,736
  • 1
  • 11
  • 27
  • 6
    Spring blog was updated, that logback released version 1.2.8 to prevent a lesser vulnerability, see the [logback JIRA Issue LOGBACK-1591](https://jira.qos.ch/browse/LOGBACK-1591) for details and a demo showing the exploit in [logbackRceDemo](https://github.com/cn-panda/logbackRceDemo). It has a lesser vulnerability, more info see [here](https://github.com/cn-panda/logbackRceDemo#summarize) and [here](http://slf4j.org/log4shell.html) – thunderhook Dec 14 '21 at 15:07
  • 1
    These articles have different opinion : 1. http://slf4j.org/log4shell.html. 2. https://www.technology.pitt.edu/content/additional-guidance-regarding-log4j-vulnerability – tryingToLearn Dec 16 '21 at 05:05
  • @tryingToLearn we have used default configuration of logback which is provided by spring boot starters. We've not created any configuration file for logback. Is our system still vulnerable for RCE? – Mahadev Mandale Dec 21 '21 at 09:37
  • What does "starter" refer to? [Spring Boot built-in starters](https://www.javatpoint.com/spring-boot-starters)? Or something else? – Peter Mortensen Aug 19 '22 at 12:17
  • The later versions of log4j2 do not have the vulnerability. – Adrian M. Nov 30 '22 at 03:19