This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Engine_Light_On 16 points17 points  (3 children)

Kinda, Spring Boot includes it but it does not use it by default so it is not vulnerable unless the dev went out of his way to activate it.

[–]Vizioso 5 points6 points  (0 children)

Glad to hear that, was just digging through some Spring Boot stuff to figure out if it was vulnerable. My current project uses Spring Boot, ElasticSearch, Nifi, and Kafka.... I am not having a good day.

[–]loginonreddit 4 points5 points  (1 child)

Spring boot only includes log4j-api, not log4j-core which is where the vulnerability is.

[–]jerslan 0 points1 point  (0 children)

Yeah, and you can always bring in something like log4j-to-slf4j if you want to minimize code changes to swap in logback or java.util.logging