Apache Sling advisory regarding CVE-2023-6378

Vulnerability CVE-2023- 6378 was reported against the Logback project. This vulnerability exposes applications to "a potential denial of service (DOS) attack on a centralized logback receiver when a third party controlling a remote appender connects to said receiver and could shut down or slow down logging of events".

The Sling Commons Log bundle wraps logback-core and logback-classic, but does not allow arbitrary modifications to the logback.xml file and is therefore not vulnerable by default to the DOS attack. Applications that programatically configure Logback might be affected.

The Apache Sling PMC has released version 5.5.0 of the Sling CommonsLog bundle which contains a fix for applications that use custom Logback feature vulnerable to this CVE. This version upgrades to Logback version 1.2.13 and sets the minimum Java version requirement to 11, in line with the upstream CVE fix.

The Apache Sling PMC recommends that developers and operators of applications built on top of Apache Sling upgrade to the latest version of the Sling Commons bundle.