Hi.
As far as I understand, the security issue has been fixed so updating should be sufficient.
From the Logback page: “Fortunately, logback is unrelated to log4j 2.x and does not share its vulnerabilities.”
If I was cynical I might read that as “it probably has its own unique vulnerabilities which haven’t been found yet” ;)
Ultimately, like a lot of OSS, both projects seem to be maintained by a handful of core developers.
Cheers,
Matt
From: Tech-talk <tech-talk-bounces at aps.anl.gov> on behalf of "Shankar, Murali via Tech-talk" <tech-talk at aps.anl.gov>
Reply-To: "Shankar, Murali" <mshankar at slac.stanford.edu>
Date: Monday, 13 December 2021 at 18:58
To: "tech-talk at aps.anl.gov" <tech-talk at aps.anl.gov>
Subject: Log4Shell approaches
We were wondering if others had any recommendations on this. That is, should we continue using/migrating to log4j2 ( and hope the security issues are fixed ) or should
we consider alternatives like logback etc. Any thoughts are appreciated.