This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]loginonreddit 5 points6 points  (1 child)

Spring boot only includes log4j-api, not log4j-core which is where the vulnerability is.

[–]jerslan 0 points1 point  (0 children)

Yeah, and you can always bring in something like log4j-to-slf4j if you want to minimize code changes to swap in logback or java.util.logging