Open4
log4j
大事な公式見解
Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2.
The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own.
Only applications using log4j-core and including user input in log messages are vulnerable.
- log4j-to-slf4j and log4j-api はそれだけでは悪用されない(starterなどに入っている)
- log4j-coreを使っていて、さらにuser inputをログメッセージに入れている場合のみ脆弱性がある
なんか大変そうなやり方