Apache Sling advisory regarding CVE-2021-44228 and LOGBACK-1591

On 9th December 2021, a new zero-day vulnerability for Apache Log4j 2 was reported. It is tracked under CVE-2021-44228 and affects Log4j versions from 2.0-beta9 (inclusive) to 2.15.0 (exclusive). It is also known under the Log4Shell name.

Apache Sling modules use the Simple Logging Facade for Java (slf4j) for logging, backed by the Sling Commons Log bundle. There are no Sling modules using versions of Log4j affected by Log4Shell. The Sling Starter and Sling CMS applications do not include any vulnerable version of the Log4j library.

Applications built on top of Apache Sling are not impacted by CVE-2021-44228, provided they do not deploy a vulnerable version of Log4j themselves.

The Sling Commons Log bundle wraps logback-core and logback-classic, but does not allow arbitrary modifications to the logback.xml file and is therefore not vulnerable to the attack described in LOGBACK-1591.

The Apache Sling PMC recommends that developers and operators of applications built on top of Apache Sling review the libraries they deploy to ensure that they do not include vulnerable versions of Log4j.