Re: Sprint-boot 1.5.x with maven is affected por log4j vulnerability?

2022-03-30 Thread Juan Jose Silupú Maza 
Hello Piotr,

So the solution for `ch.qos.logback:logback-core` would be to add this
dependency:



ch.qos.logback
logback-core
1.2.11




El mié, 30 mar 2022 a la(s) 02:42, Piotr P. Karwasz (piotr.karw...@gmail.com)
escribió:

> Hello Juan,
>
> On Tue, 29 Mar 2022 at 23:00, Juan Jose Silupú Maza
>  wrote:
> > So, is my project affected by the LOG4J vulnerability? How do I mitigate
> it?
>
> The Log4Shell vulnerability (CVE-2021-44228) concerned only the
> `log4j-core` artifact developed by the Apache Logging Services
> project. The `org.slf4j:log4j-over-slf4j` artifact is a Log4j 1.x
> replacement developed by QOS.CH. They don't share any code, so they
> don't share vulnerabilities.
>
> However Spring Boot uses Logback as logging backend and versions of
> `ch.qos.logback:logback-core` up to 1.2.7 have vulnerabilities of
> their own.
>
> Piotr
>
> -
> To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
> For additional commands, e-mail: log4j-user-h...@logging.apache.org
>
>

Re: Sprint-boot 1.5.x with maven is affected por log4j vulnerability?

2022-03-30 Thread Piotr P. Karwasz 
Hello Juan,

On Tue, 29 Mar 2022 at 23:00, Juan Jose Silupú Maza
 wrote:
> So, is my project affected by the LOG4J vulnerability? How do I mitigate it?

The Log4Shell vulnerability (CVE-2021-44228) concerned only the
`log4j-core` artifact developed by the Apache Logging Services
project. The `org.slf4j:log4j-over-slf4j` artifact is a Log4j 1.x
replacement developed by QOS.CH. They don't share any code, so they
don't share vulnerabilities.

However Spring Boot uses Logback as logging backend and versions of
`ch.qos.logback:logback-core` up to 1.2.7 have vulnerabilities of
their own.

Piotr

-
To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-user-h...@logging.apache.org

Re: Sprint-boot 1.5.x with maven is affected por log4j vulnerability?

2022-03-30 Thread Volkan Yazıcı 
Nope, judging from the output you've shared, your project doesn't use Log4j
as a backend. `log4j-over-slf4j` simply forwards calls made to Log4j 1 API
to SLF4J.

On Tue, Mar 29, 2022 at 11:00 PM Juan Jose Silupú Maza <
juansilupum...@gmail.com> wrote:

> I have a maven project with spring-boot 1.5.21.RELEASE.
>
> Run the command: mvn dependency:tree | grep log4j
> [INFO] |  |  |  \- org.slf4j:log4j-over-slf4j:jar:1.7.26:compile
> [INFO] |  |  |  \- org.slf4j:log4j-over-slf4j:jar:1.7.26:compile
> [INFO] |  |  |  \- org.slf4j:log4j-over-slf4j:jar:1.7.26:compile
> [INFO] |  |  |  \- org.slf4j:log4j-over-slf4j:jar:1.7.26:compile
>
>
> Also, my project has these dependencies:
>
> Maven: org.slf4:jcl-over-slf4j:1.7.26
>
> Maven: org.slf4:jul-to-slf4j:1.7.26
>
> Maven: org.slf4:log4j-over-slf4j:1.7.26
>
> Maven: org.slf4:slf4-api:1.7.26
>
>
> So, is my project affected by the LOG4J vulnerability? How do I mitigate
> it?
>

Re: Sprint-boot 1.5.x with maven is affected por log4j vulnerability?

2022-03-29 Thread Gary Gregory 
Note that this email list does not allow attachments.

Gary

On Tue, Mar 29, 2022, 16:47 Juan Jose Silupu Maza <
juanjose.silupum...@nttdata.com> wrote:

>
>
>
>
> Enviado desde Correo 
> para Windows
>
>
>
> *De: *Juan Jose Silupu Maza 
> *Enviado: *martes, 29 de marzo de 2022 11:59
> *Para: *log4j-user-subscr...@logging.apache.org
> *Asunto: *Sprint-boot 1.5.x with maven is affected por log4j
> vulnerability?
>
>
>
> I have a maven project with spring-boot.
>
>
>
> Run the command mvnw dependency:list | grep log4j and I get this output:
>
>
>
> Also, I did a search on all modules for the string: logg and got this
> result:
>
>
>
> Also, my project has these dependencies:
>
> [image: slf4j dependecies]
>
>
>
> So, is my project affected by the LOG4J vulnerability? How do I mitigate
> it?
>
>
>
> Enviado desde Correo 
> para Windows
>
>
>
>
>
> --
>
>
> *This email and any attachments are sent in strictest confidence for the
> sole use of the addressee and may contain legally privileged, confidential,
> and proprietary data. If you are not the intended recipient, please advise
> the sender by replying promptly to this email and then delete and destroy
> this email and any attachments without any further use, copying or
> forwarding. *
>