Is Logback also affected by the Log4j zero-day vulnerability issue in Spring Boot? [closed]

by

From the Spring blog:

Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.

Useful explanation points:

log4j-to-slf4j is an adapter between the Log4j API and SLF4J. It indeed brings log4j-api, but it does not bring log4j-core, so our starter is not affected by this vulnerability.

Leave a Comment

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)