yes, logback-classic <=1.2. 7 , configuration file also has JNDI vulnerability

see:

https://github.com/cn-panda/logbackRceDemo