Hello all, You might have heard of a Remote code execution (RCE) vulnerability in log4j 2.x, that allows an attacker to execute arbitrary code by controlling the contents of a single logged message. While vulnerabilities are reported now and then, this vulnerability is totally unheard of in its severity. As for logback, while logback claims to be the successor to log4j 1.x, logback is unrelated to log4j 2.x. It does not share code nor vulnerabilities with log4j 2.x. More specifically, logback does not suffer from aforementioned said RCE vulnerability in any shape or form. Unfortunately, the vulnerability exists under SLF4J API when log4j 2.x is used as the back-end implementation. Given the severity of this issue, we encourage you to consider logback as the preferred back-end for SLF4J API. Also note that logback performs significantly better than log4 2.x. Please see the benchmark results at: http://logback.qos.ch/performance.html Better yet, run the benchmark yourself. https://github.com/ceki/logback-perf In our opinion, logging libraries need to be reliable first and foremost with new features added only with extreme care. Best regards, Further references to the RCE vulnerability: https://www.lunasec.io/docs/blog/log4j-zero-day/ https://twitter.com/P0rZ9/status/1468949890571337731 https://github.com/apache/logging-log4j2/pull/608 -- Ceki Gülcü Please contact sales@qos.ch for support related to SLF4J or logback projects.