Nope, judging from the output you've shared, your project doesn't use Log4j as a backend. `log4j-over-slf4j` simply forwards calls made to Log4j 1 API to SLF4J.
On Tue, Mar 29, 2022 at 11:00 PM Juan Jose Silupú Maza < juansilupum...@gmail.com> wrote: > I have a maven project with spring-boot 1.5.21.RELEASE. > > Run the command: mvn dependency:tree | grep log4j > [INFO] | | | \- org.slf4j:log4j-over-slf4j:jar:1.7.26:compile > [INFO] | | | \- org.slf4j:log4j-over-slf4j:jar:1.7.26:compile > [INFO] | | | \- org.slf4j:log4j-over-slf4j:jar:1.7.26:compile > [INFO] | | | \- org.slf4j:log4j-over-slf4j:jar:1.7.26:compile > > > Also, my project has these dependencies: > > Maven: org.slf4:jcl-over-slf4j:1.7.26 > > Maven: org.slf4:jul-to-slf4j:1.7.26 > > Maven: org.slf4:log4j-over-slf4j:1.7.26 > > Maven: org.slf4:slf4-api:1.7.26 > > > So, is my project affected by the LOG4J vulnerability? How do I mitigate > it? >
