Excluding slf4j-api from spring-security-saml2-core, we are getting a runtime exception NoClassDefFound: org/slf4j/LoggerFactory

Question

After the log4j zero-day vulnerability, we started to look if there are any more artifacts that are using either slf4J or lower versions of log4j.

Checking the mvn dependency tree we have figured that spring-security-saml2-core is using slf4j, and we tried to exclude that from the artifact. However, we are receiving the below runtime exception : -java.lang.NoClassDefFoundError: org/slf4j/LoggerFactory at org.opensaml.DefaultBootstrap.getLogger(DefaultBootstrap.java:246) at org.opensaml.DefaultBootstrap.initializeXMLSecurity(DefaultBootstrap.java:189) at

wi2ard · Accepted Answer · 2021-12-15T08:55:26.240

2

If you are referring to the CVE-2021-44228 vulnerability (aka. Log4Shell) then Slf4J is not the vulnerable library so you don't have to exclude it. Only Log4j-core is affected by this particular vulnerability for versions between 2 until before 2.15.0 See https://nvd.nist.gov/vuln/detail/CVE-2021-44228

There are other known vulnerabilities at the moment (and many that are still probably waiting to be discovered), as @eray-tufay points out. The example he gives is https://cve.report/CVE-2021-4104:

Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default

So, to be protected against current and future vulnerabilities:

include in your build pipeline an automatic check against new vulnerabilities, like https://owasp.org/www-project-dependency-check/
constantly upgrade your dependendencies to use the latest versions

edited Dec 15 '21 at 08:55

answered Dec 14 '21 at 10:51

wi2ard

1,471
13
24

This is not correct. There is also a vulnerability for Version 1.x. CVE-2021-4104 https://access.redhat.com/security/cve/CVE-2021-4104: "A flaw was found in the Java logging library Apache Log4j in version 1.x. JMSAppender in Log4j 1.x is vulnerable to deserialization of untrusted data. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker's JMS Broker." – Eray Tufan Dec 14 '21 at 12:27
I updated the response to be more exact. I was referring only to CVE-2021-44228 vulnerability (aka. Log4Shell) not the one you found – wi2ard Dec 14 '21 at 12:48
To be more precise, only log4j-core is vulnerable (the the CVE description) the log4j-api is not as it contains only the api, the core is the implementation. – Yosef-at-Panaya Dec 14 '21 at 15:39
also around this: slf4j-over-log4j (that is the way to "redirect" log4j2 call to slf4j) uses log4j-api and is indeed safe. – Yosef-at-Panaya Dec 14 '21 at 15:42
Indeed, only the core jar is vulnerable. There were early reports the api was vulnerable too but it seems those were inaccurate. – wi2ard Dec 15 '21 at 08:57

Excluding slf4j-api from spring-security-saml2-core, we are getting a runtime exception NoClassDefFound: org/slf4j/LoggerFactory

1 Answers1