Hello Juan, On Tue, 29 Mar 2022 at 23:00, Juan Jose Silupú Maza <juansilupum...@gmail.com> wrote: > So, is my project affected by the LOG4J vulnerability? How do I mitigate it?
The Log4Shell vulnerability (CVE-2021-44228) concerned only the `log4j-core` artifact developed by the Apache Logging Services project. The `org.slf4j:log4j-over-slf4j` artifact is a Log4j 1.x replacement developed by QOS.CH. They don't share any code, so they don't share vulnerabilities. However Spring Boot uses Logback as logging backend and versions of `ch.qos.logback:logback-core` up to 1.2.7 have vulnerabilities of their own. Piotr --------------------------------------------------------------------- To unsubscribe, e-mail: log4j-user-unsubscr...@logging.apache.org For additional commands, e-mail: log4j-user-h...@logging.apache.org
