In response to the log4j issue, the logback team has released 1.28 to cover a more unlikely scenario where a similiar exploit can happen as described here to quote:
However, logback may make JNDI calls from within its configuration file. This was recently reported in LOGBACK-1591 as a vulnerability of lesser severity. In response, we have released logback version 1.2.8. Please upgrade.
In response to the log4j issue, the logback team has released 1.28 to cover a more unlikely scenario where a similiar exploit can happen as described here to quote: