log4j

Spring Boot users are only affected by this vulnerability if they have switched the default logging system to Log4J2. 
The log4j-to-slf4j and log4j-api jars that we include in spring-boot-starter-logging cannot be exploited on their own. 
Only applications using log4j-core and including user input in log messages are vulnerable.