http://bugzilla.slf4j.org/show_bug.cgi?id=181 Summary: SLF4JLogFactory#getInstance(String) should not use "this" lock Product: SLF4J Version: 1.5.x Platform: All OS/Version: All Status: NEW Severity: major Priority: P1 Component: jcl-over-slf4j AssignedTo: slf4j-dev@qos.ch ReportedBy: sdavids@gmx.de org.apache.commons.logging.impl. SLF4JLogFactory The class is open to a denial-of-service attack: public Log getInstance(String name) throws LogConfigurationException { ... synchronized (this) { ... } ... } @@@@ import java.util.concurrent.ExecutorService; import java.util.concurrent.Executors; import org.apache.commons.logging.LogFactory; public class Test { public static void main(String[] args) { ExecutorService pool = Executors.newCachedThreadPool(); pool.execute(new Runnable() { public void run() { synchronized (LogFactory.getFactory()) { while (true); } } }); pool.execute(new Runnable() { public void run() { System.out.println("Logged?"); LogFactory.getLog("test").info("logged"); } }); } } @@@@ Use either: private final Object lock = new Object(); synchronized(lock) or: synchronized(loggerMap) @@ see also: Bloch, Joshua. Effective Java (Second Edition). Sun Microsystems Press/Prentice-Hall, 2008. 280. -- Configure bugmail: http://bugzilla.slf4j.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug.