On 9th December 2021, a new zero-day vulnerability for Apache Log4j was reported. It is tracked under CVE-2021-44228 and affects Log4j versions from 2.0.1 (inclusive) to 2.15.0 (exclusive). It is also known under the 'log4shell' name.
Apache Sling modules use the Simple Logging Facade for Java (slf4j) for logging, backed by the Sling Commons OSGi bundle.There are no Sling modules using versions of Log4j affected by log4shell. The Sling Starter and Sling CMS applications do not include any vulnerable version of the Log4j library. Applications built on top of Apache Sling are not impacted by CVE-2021- 44228, provided they do not deploy a vulnerable version of log4j themselves. The Sling Commons OSGi bundle wraps logback-core and logback-classic, but does not allow arbitrary modifications to the logback.xml file and is therefore not vulnerable to the attack described in LOGBACK-1591 . The Apache Sling PMC recommends that developers and operators of applications built on top of Apache Sling review the libraries they deploy to ensure that they do not include vulnerable versions of Log4j. Oh behalf of the Apache Sling PMC, Robert Munteanu --- This advisory is also available online at https://sling.apache.org/security/log4shell.html
