Hello Piotr, So the solution for `ch.qos.logback:logback-core` would be to add this dependency:
<!-- https://mvnrepository.com/artifact/ch.qos.logback/logback-core --> <dependency> <groupId>ch.qos.logback</groupId> <artifactId>logback-core</artifactId> <version>1.2.11</version> </dependency> El mié, 30 mar 2022 a la(s) 02:42, Piotr P. Karwasz (piotr.karw...@gmail.com) escribió: > Hello Juan, > > On Tue, 29 Mar 2022 at 23:00, Juan Jose Silupú Maza > <juansilupum...@gmail.com> wrote: > > So, is my project affected by the LOG4J vulnerability? How do I mitigate > it? > > The Log4Shell vulnerability (CVE-2021-44228) concerned only the > `log4j-core` artifact developed by the Apache Logging Services > project. The `org.slf4j:log4j-over-slf4j` artifact is a Log4j 1.x > replacement developed by QOS.CH. They don't share any code, so they > don't share vulnerabilities. > > However Spring Boot uses Logback as logging backend and versions of > `ch.qos.logback:logback-core` up to 1.2.7 have vulnerabilities of > their own. > > Piotr > > --------------------------------------------------------------------- > To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org > For additional commands, e-mail: log4j-user-h...@logging.apache.org > >
