Hi David,
Logback does NOT offer a lookup mechanism at the message level. So it is
safe with respect to CVE-2021-44228.
However, we are still looking at other venues for other attacks.
Best regards,
--
Ceki Gülcü
Please contact [email protected] for support related to SLF4J or logback
projects.
On 12/12/2021 12:00, David Roussel wrote:
There are two possible interpretations of your question
a. Do any similar vulnerabilities exist in logback and slf4j
b. Have any similar vulnerabilities been detected and reported in logback and
slf4j
In the case of (a) we don’t know,, since any piece of normal-complexity
software can contain vulnerabilities. In general you can only prove that
vulnerabilities exist, not that they don’t exist. But this is more of a
philosophical question.
In the case of (b); if they had been detected and reported, they would be
listed in the various CVE databases, for example:
- https://security.snyk.io/search?q=logback
- https://security.snyk.io/search?q=slf4j
- … and others
For your particular configuration, and set of transitive dependencies, you need
to investigate yourself.
To see the slf4j statement on the matter from ceki, see:
http://www.slf4j.org/log4shell.html
_______________________________________________
logback-user mailing list
[email protected]
http://mailman.qos.ch/mailman/listinfo/logback-user
