[question] Checking for log4j vulnerabilities present in log4j-over-slf4j

[robdatasembly]

Our IDS detected an attempted remote code execution using a vulnerability exploiting CVE-2021-44228 and CVE-2021-45046, which Apache fixed by log4j 2.17.1. Are these vulnerabilities present in log4j-over-slf4j? Apache log4j 1.x was EOL in 2015 and won't receive any security patches, though those CVEs were only known to affect certain versions of log4j 2.x

[hazendaz]

log4j-over-slf4j is to take log4j1 and pipe it to slf4j. It is not vulnerable as it is not the logger. If your project is purely log4j2 usage, you would not be using this library. Its for legacy projects that still have not migrated to modern projects so that you don't lose logs.

[ceki]

In addition to @hazendaz comments, I would like to mention the reload4j project which might be quite relevant here. Migrating from log4j 1.x to reload4j is very easy.

Here is a quote from the site:

Initiated by Ceki Gülcü, the original author of Apache log4j 1.x, the reload4j project is a fork of Apache log4j version 1.2.17 with the goal of fixing pressing security issues. Reload4j is a binary compatible, drop-in replacement for log4j version 1.2.17. By drop-in, we mean that you can replace log4j.jar with reload4j.jar in your build with no source code changes, no recompilation, nor rebuild being necessary.

[robdatasembly]

Thanks for y'all's help