Bug #20421
Updated by Alexis Mousset almost 3 years ago
After log4j JNDI vulnerability, logback did an audit of their code and found a potential, low risk (since it needs write access to logback.xml file) vector: https://jira.qos.ch/browse/LOGBACK-1591. The @/opt/rudder/etc/logback.xml@ should only be writeable by the root user on Rudder servers, so it does not seem exploitable. https://jira.qos.ch/browse/LOGBACK-1591 We still should update to logback 2.6.8 in case other, more horrible, attack vectors are found.