Affects Version/s: None
Fix Version/s: None
http://logging.apache.org/log4j/1.2/index.html states that log4j 1.2 has an unresolved security hole (unvalidated deserialization, remotely exploitable without authorization).
Java 9 having a different version string format broke log4j's version string parsing, introducing bugs into its MDC implementation, but that's much less important.
Options for the documentation:
- Add a warning to the SLF4J manual that slf4j-log4j12 should not be used anymore.
- Remove mentions of slf4j-log4j12 entirely.
Options for the code:
Since slf4j-log4j12 cannot be removed from Maven repositories, a new version that warns about the issue should be released:
- Make it output an ERROR, stating "log4j 1.2 has an unfixed security hole; your application can be hacked by anybody with network access (CVE-2019-17571). Migrate to another logging backend as soon as possible."
- As above, but make it abort startup. (That's probably too much, there could be edge cases where an organization cannot migrate and cannot downgrade back to a previous, working slkf4j-log4j12.)