Description
This update for logback fixes the following issues:
Upgrade to version 1.2.8
+ In response to log4Shell/CVE-2021-44228, all JNDI lookup code in logback
has been disabled until further notice. This impacts ContextJNDISelector
and insertFromJNDI element in configuration files.
+ Also in response to log4Shell/CVE-2021-44228, all database (JDBC)
related code in the project has been removed with no replacement.
+ Note that the vulnerability mentioned in LOGBACK-1591 requires write
access to logback's configuration file as a prerequisite. The
log4Shell/CVE-2021-44228 and LOGBACK-1591 are of different severity
levels. A successful RCE requires all of the following conditions to be
met:
- write access to logback.xml
- use of versions lower then 1.2.8
- reloading of poisoned configuration data, which implies application
restart or scan='true' set prior to attack