Ramesh
Reputation: 55
org.slf4j:log4j-over-slf4j:jar:1.7.21:compile vulnerability
We need to migrate to log4j 2.17 if we are using log4j jar, mvn dependency: tree showing only log4j-over-slf4j:jar. so I assume app is safe as it will redirect call to sl4j not to log4j. Please confirm my app is safe with this jar without any remediation.?
Upvotes: 0
Views: 2091
Answers (1)
Joao Almeida
Reputation: 81
In the SLF4J website, in the Comments on the log4shell(CVE-2021-44228) vulnerability they state that:
If you are using log4j-over-slf4j.jar in conjunction with the SLF4J API, you are safe unless the underlying implementation is log4j 2.x.
So it basically depends on how you're implementing the logs' generation. Slf4j natively uses logback. But to be sure, you can check your pom.xml and see if log4j is mentioned there.
Upvotes: 1
Related Questions
- How to fix exception: Failed to instantiate SLF4J LoggerFactory?
- Was slf4j affected with vulnerability issue in log4j
- SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder post log4j Remediation
- log4j-to-slf4j does not implement org.apache.logging.log4j.LogManager
- Caused by: org.apache.logging.log4j.LoggingException: log4j-slf4j-impl cannot be present with log4j-to-slf4j Issue
- slf4j does not find log4j2 jars
- Detected both log4j-over-slf4j.jar AND slf4j-log4j12.jar
- Error while integrating slf4j over log4j
- SLF4J: java.lang.IllegalStateException: org.slf4j.LoggerFactory could not be successfully initialized
- "This version of SLF4J requires log4j version 1.2.12" warning with log4j 1.2.17