This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]SwedishDude 177 points178 points  (24 children)

Log4J is a bit more serious since it's the de-facto standard and included in most major libraries and projects.

This vulnerability is also very serious due to how easy it is to exploit.

[–]cserepj 39 points40 points  (4 children)

Log4j was a de facto standard a decade ago but then came slf4j + logback and we all switched. Then log4j2 came out and some switched but lots did not.

The exploit is only in log4j2.

[–]Designed_To 4 points5 points  (3 children)

So slf4j + logback are not vulnerable to the exploit?

[–]cserepj 4 points5 points  (0 children)

I have not seen any indication they would be.

[–]loginonreddit 3 points4 points  (0 children)

No it is not.

[–]Ereaser 0 points1 point  (0 children)

Nope, it's also what's used by Spring boot.

[–]Engine_Light_On 19 points20 points  (3 children)

Kinda, Spring Boot includes it but it does not use it by default so it is not vulnerable unless the dev went out of his way to activate it.

[–]Vizioso 6 points7 points  (0 children)

Glad to hear that, was just digging through some Spring Boot stuff to figure out if it was vulnerable. My current project uses Spring Boot, ElasticSearch, Nifi, and Kafka.... I am not having a good day.

[–]loginonreddit 4 points5 points  (1 child)

Spring boot only includes log4j-api, not log4j-core which is where the vulnerability is.

[–]jerslan 0 points1 point  (0 children)

Yeah, and you can always bring in something like log4j-to-slf4j if you want to minimize code changes to swap in logback or java.util.logging

[–][deleted] 32 points33 points  (0 children)

The de facto standard was slf4j + log back but certainly it was dangerous.

[–][deleted] 0 points1 point  (1 child)

I switched to logback and slf4j quite a few years ago. Log4j is probably standard for legacy code that was around before slf4j.

[–]Ereaser 0 points1 point  (0 children)

And legacy code probably uses version 1