What is SLF4J log4j12 jar?
slf4j-log4j12 provides a bridge between SLF4J and Log4j 1.2 so that SLF4J knows about how to log using Log4j. You are using Log4j 1.2. That version’s binding it is maintained by the SLF4J project. Here is a summary from the SLF4J docs: SLF4J supports various logging frameworks.
What is the latest version of SLF4J?
2.0
STABLE version
The current stable and actively developed version of SLF4J is 2.0.
What is slf4j log4j12 used for?
SLF4J ship with a module called log4j-over-slf4j. It allows log4j users to migrate existing applications to SLF4J without changing a single line of code but simply by replacing the log4j. jar file with log4j-over-slf4j. jar, as described below.
Is slf4j log4j12 affected by log4j vulnerability?
No. Using Log4j 2. x via the SLF4J Application Programming Interface does not mitigate the vulnerability.
Is SLF4J-log4j12 vulnerable?
Thus, if your SLF4J provider/binding is slf4j-log4j12. jar, you are safe regarding CVE-2021-44228. If you are using log4j-over-slf4j. jar in conjunction with the SLF4J API, you are safe unless the underlying implementation is log4j 2.
Which version of log4j is in SLF4J?
As the name already indicates slf4j-log4j12 contains log4j v1. 2.
Is SLF4J is same as log4j?
Comparison SLF4J and Log4j
Unlike log4j, SLF4J (Simple Logging Facade for Java) is not an implementation of logging framework, it is an abstraction for all those logging frameworks in Java similar to log4J. Therefore, you cannot compare both. However, it is always difficult to prefer one between the two.
Is SLF4J-log4j12 safe?
Which version of slf4j is not vulnerable?
slf4j:slf4j-ext package. This does not include vulnerabilities belonging to this package’s dependencies. Automatically find and fix vulnerabilities affecting your projects.
Which version of log4j is used in slf4j?
The slf4j-log4j12 is a bridge (binding) from SLF4J to Log4j 1.2: all messages submitted to a org. slf4j. Logger in your code, will be sent to a org. apache.
Which version of SLF4J is not vulnerable?
Is SLF4J same as log4j?
Unlike log4j, SLF4J (Simple Logging Facade for Java) is not an implementation of logging framework, it is an abstraction for all those logging frameworks in Java similar to log4J. Therefore, you cannot compare both.
Is SLF4J log4j12 affected by log4j vulnerability?
Can we use SLF4J instead of log4j?
Conclusion. So essentially, SLF4J does not replace Log4j, Both work together. SLF4j removes the tight coupling between the application and logging frameworks. It makes it easy to replace with any other logging framework in the future with a more capable library.
Is slf4j-log4j12 safe?
Can we use slf4j instead of log4j?
Is SLF4J-log4j12 jar vulnerable?
Thus, if your SLF4J provider/binding is slf4j-log4j12. jar, you are safe regarding CVE-2021-44228.
Is SLF4J-log4j12 affected by log4j vulnerability?
Do we need log4j for slf4j?
Using SLF4J now, when you write the code, will take no more time than using Log4j directly. Replacing direct Log4j calls later will take a lot of time.
…
2 Answers.
| Required dependencies | with log4j-api as API | with SLF4J as API |
|---|---|---|
| Logback as implementation | 4: log4j-api, log4j-to-slf4j, slf4j, Logback | 2: slf4j and Logback |
Which version of log4j is used in SLF4J?