News

Logback components written for logback 1.2 should work without change in version 1.3. However, Joran, logback's configuration system, has been rewritten to use an internal representation model which can be processed separately. Thus, code depending on Joran needs to be adapted to changes in Joran (logback's internal configuration mechanism). As a result of enhancements to Joran, logback configurat

[ka-ka_xyz]

設定ファイルの書き換えが前提なので脅威度は比較にならないぐらい低いものの、条件次第ではlogbackでもJNDI lookupされると。

[estragon]

“We note that the vulnerability mentioned in LOGBACK-1591 requires write access to logback's configuration file as a prerequisite. Please understand that log4Shell/CVE-2021-44228 and LOGBACK-1591 are of utterly different severity levels. ”