The Simple Logging Facade for Java (SLF4J) serves as a simple facade or abstraction for various logging frameworks (e.g. java.util.logging, logback, log4j) allowing the end user to plug in the desired …

An SLF4J provider/binding designates an artifact such as slf4j-jdk14.jar or slf4j-reload4j.jar used to bind slf4j to an underlying logging framework, say, java.util.logging and respectively reload4j.

In the case of logback, the question is moot because logback exposes its logger API via SLF4J. SLF4J is only a facade, meaning that it does not provide a complete logging solution. Operations such as …

Your feedback is requested on changes under consideration for SLF4J version 2.1.0.

Since early 2022, all SLF4J binaries are reproducible. To verify fidelity to the source code, check out the source code from github with the tag corresponding to the version you wish to verify.

An SLF4J binding designates an artifact such as slf4j-jdk14.jar or slf4j-log4j12.jar used to bind slf4j to an underlying logging framework, say, java.util.logging and respectively log4j.

The presence of log4j-over-slf4j.jar will in turn delegate all reload4j API calls to their SLF4J equivalents. If both are present simultaneously, SLF4J calls will be delegated to reload4j (i.e. a security patched …

The org.slf4j.Logger interface is the main user entry point of SLF4J API. It is expected that logging takes place through concrete implementations of this interface.

Apr 13, 2005 · SLF4J will no longer ship with jcl104-over-slf4j.jar but with jcl-over-slf4j.jar. The related work responds to enhancement request discussed in issue 76 as reported by Niklas Gustavsson.

As such, using log4j 2.x, even via SLF4J does not mitigate the vulnerability. However, as mentioned already, log4j 1.x is safe with respect to CVE-2021-44228.