This is regarding vulnerability reported with CVE-2021-44228 against the log4j-core jar and has been fixed in Log4J v2.15.0. We use Logback API via slf4j. This is confirmed with below code. final StaticLoggerBinder binder = StaticLoggerBinder.getSingleton(); System.out.println(binder.getLoggerFactory()); System.out.println(binder.getLoggerFactoryClassStr()); //output: //ch.qos.logback.classic.LoggerContext[default] //ch.qos.logback.classic.util.ContextSelectorStaticBinder mvn dependency:tree shows log4j-core API (version <2.15) in classpath (both direct & transitive dependency). Is… Read More log4j exploit – is it still vulnerable if log4j is maintained in classpath but not actually used in code?