Hello Your assessment is right, slf4j does not execute any log4j implementation except defining the adapter classes for the log4j API. The adapter is a drop in replacement to bridge any existing usage of log4j. For more info please read http://www.slf4j.org/legacy.html#log4j-over-slf4j
Cheers /Leif Fra: Ron Lindhoudt via GeoTools-GT2-Users <geotools-gt2-users@lists.sourceforge.net<mailto:geotools-gt2-users@lists.sourceforge.net>> Sendt: mandag 13. desember 2021 14:23 Til: geotools-gt2-users@lists.sourceforge.net<mailto:geotools-gt2-users@lists.sourceforge.net> Emne: [Geotools-gt2-users] log4j vulnerability CVE-2021-44228 Hi All, As you probably all know there is vulnarability CVE-2021-44228 found in log4j. The newest Geotools lib (version 26.1) contains an older not supported version of log4j.jar (log4j-1.2.12.jar) According http://slf4j.org/log4shell.html<https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fslf4j.org%2Flog4shell.html&data=04%7C01%7CLeif.Eirik.Lislegard%40kartverket.no%7C70053b717ff0497fc4b108d9be3bec86%7C7f74c8a243ce46b2b0e8b6306cba73a3%7C0%7C0%7C637749986851108292%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=S%2BlyS0j%2BM%2FUnIIQo1v%2B9B5nmgmJEtjJ%2FfQuIrf5q55Y%3D&reserved=0> this old version is not affected by the vulnerability but it is strongly advised to migrate to a newer version. I have 2 questions: - Will this log4j.jar file be replaced shortly? - In my Geotools deployment I removed log4j-1.2.12.jar and only use log4j-over-slf4j-1.6.4.jar, slf4j-simple-1.7.12.jar and slf4j-api-1.7.12.jar Does this mean I do not use log4j at all? Thanks for your help, Ron
_______________________________________________ GeoTools-GT2-Users mailing list GeoTools-GT2-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-gt2-users
