Spring Boot 中的 Log4j 零日漏洞问题是否也影响了 Logback?
Is Logback also affected by the Log4j zero-day vulnerability issue in Spring Boot?
据我了解,Logback 是由同一作者编写的。我们的应用程序正在使用 Logback。 Logback 是否也有可能受到 Log4j 漏洞的影响?
这对我们的组织至关重要。
来自Spring blog:
Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. Only applications using log4j-core and including user input in log messages are vulnerable.
有用的解释点:
log4j-to-slf4j 是 Log4J API 和 SLF4J 之间的适配器。它确实带来了 log4j-api 但没有带来 log4j-core 所以我们的启动器不受此漏洞的影响。
据我了解,Logback 是由同一作者编写的。我们的应用程序正在使用 Logback。 Logback 是否也有可能受到 Log4j 漏洞的影响?
这对我们的组织至关重要。
来自Spring blog:
Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. The
log4j-to-slf4jandlog4j-apijars that we include inspring-boot-starter-loggingcannot be exploited on their own. Only applications usinglog4j-coreand including user input in log messages are vulnerable.
有用的解释点:
log4j-to-slf4j 是 Log4J API 和 SLF4J 之间的适配器。它确实带来了 log4j-api 但没有带来 log4j-core 所以我们的启动器不受此漏洞的影响。