It also can be avoided by not using an old version of Java as Java 8u121 (see https://www.oracle.com/java/technologies/javase/8u121-relnotes.html) protects against remote code execution by defaulting "com.sun.jndi.rmi.object.trustURLCodebase" and "com.sun.jndi.cosnaming.object.trustURLCodebase" to "false".
Gary On Fri, Dec 10, 2021, 04:36 Ceki Gülcü <[email protected]> wrote: > > Hello all, > > You might have heard of a Remote code execution (RCE) vulnerability in > log4j 2.x, that allows an attacker to execute arbitrary code by > controlling the contents of a single logged message. While > vulnerabilities are reported now and then, this vulnerability is totally > unheard of in its severity. > > As for logback, while logback claims to be the successor to log4j 1.x, > logback is unrelated to log4j 2.x. It does not share code nor > vulnerabilities with log4j 2.x. More specifically, logback does not > suffer from aforementioned said RCE vulnerability in any shape or form. > > Unfortunately, the vulnerability exists under SLF4J API when log4j 2.x > is used as the back-end implementation. Given the severity of this > issue, we encourage you to consider logback as the preferred back-end > for SLF4J API. > > Also note that logback performs significantly better than log4 2.x. > > Please see the benchmark results at: > > http://logback.qos.ch/performance.html > > Better yet, run the benchmark yourself. > > https://github.com/ceki/logback-perf > > In our opinion, logging libraries need to be reliable first and foremost > with new features added only with extreme care. > > Best regards, > > Further references to the RCE vulnerability: > > https://www.lunasec.io/docs/blog/log4j-zero-day/ > https://twitter.com/P0rZ9/status/1468949890571337731 > https://github.com/apache/logging-log4j2/pull/608 > > -- > Ceki Gülcü > > Please contact [email protected] for support related to SLF4J or logback > projects. > _______________________________________________ > slf4j-dev mailing list > [email protected] > http://mailman.qos.ch/mailman/listinfo/slf4j-dev
_______________________________________________ slf4j-dev mailing list [email protected] http://mailman.qos.ch/mailman/listinfo/slf4j-dev
