Hey Aravind, We found this article http://slf4j.org/log4shell.html :
The SLF4J API is just an API which lets message data go through. As such, using log4j 2.x even via SLF4J does not mitigate the vulnerability. However, as mentioned previously, log4j 1.x is safe with respect to CVE-2021-44228. Thus, if your SLF4J provider/binding is *slf4j-logj12.jar*, you are safe regarding CVE-2021-44228. If you are using *log4j-over-slf4j.jar* with SLF4J API, you are safe unless the underlying implementation is log4j 2.x. On Monday, December 13, 2021 at 6:25:03 PM UTC+5:30 Aravind SV wrote: > Ha. As I write this ... someone seems to have brought this up. Please > watch this or the discussion for updates. > > On Mon, Dec 13, 2021 at 12:53 PM Aravind SV <[email protected]> > wrote: > >> Hello, >> >> Just a quick note to say that there is a discussion happening around the >> log4j vulnerability and GoCD here >> <https://github.com/gocd/gocd/discussions/9931>. >> >> The current understanding is that GoCD (by itself) isn't vulnerable, >> since it doesn't use log4j directly. There is a TFS dependency which uses >> log4j, but it had been made to use log4j-over-slf4j and then logback from >> there -- and so, *shouldn't* be vulnerable. >> >> If things change, and more information is found, it might be in that >> discussion page instead of here. >> >> Cheers, >> Aravind >> > -- You received this message because you are subscribed to the Google Groups "go-cd" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/a1cc672b-e9d5-4496-86c6-35b173cba8dcn%40googlegroups.com.
