Fixing Logback CVE-2023-6378 in Spring Boot 2.7.x
To remediate CVE‑2023‑6378 in a Spring Boot 2.7.x application, you must replace the default logging starter with a direct Logback 1.2.x dependency (e.g., 1.2.13), because Spring Boot 2.7 cannot use Logback 1.3.x due to the removed StaticLoggerBinder class; the only other option is to upgrade the whole stack to Spring Boot 3.x, Logback 1.4.x, and JDK 11.
The testing team regularly scans code for security issues. A vulnerability was found in the Logback 1.2.12 library used by a project that depends on Spring Boot 2.7.18 . The CVE identifier is CVE-2023-6378 .
To remediate, the original spring-boot-starter-logging dependency is removed and a newer Logback version is added:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<artifactId>spring-boot-starter-logging</artifactId>
<groupId>org.springframework.boot</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>${logback.version}</version>
</dependency>Because the project runs on JDK 8, upgrading Logback to the 1.3.x line (which requires JDK 8) seems attractive, but Logback 1.3.x no longer contains the class org/slf4j/impl/StaticLoggerBinder . This leads to a NoClassDefFoundError at runtime:
Exception in thread "main" java.lang.NoClassDefFoundError: org/slf4j/impl/StaticLoggerBinder
at org.springframework.boot.logging.logback.LogbackLoggingSystem.getLoggerContext(...)
...Investigation shows that Spring Boot 2.7.x is tied to Logback 1.2.x and cannot integrate Logback 1.3.x because the required class was removed starting with Logback 1.3.0‑alpha0. The Spring Boot team confirmed that 2.7.x will not support Logback 1.3.x; support for newer Logback versions is only available in Spring Boot 3.x, which also requires JDK 11.
Work‑arounds discussed include:
Disabling Spring Boot’s default logging system with -Dorg.springframework.boot.logging.LoggingSystem=none .
Customizing the logging system via spring.factories and ApplicationListener to set properties early.
Manually setting the logging system to “none” in code:
@SpringBootApplication
public class Spring5Application {
public static void main(String[] args) {
System.setProperty("org.springframework.boot.logging.LoggingSystem", "none");
SpringApplication.run(Spring5Application.class, args);
}
}Ultimately, the only safe upgrade for the current Spring Boot 2.7.x line is to move Logback to version 1.2.13, which still contains the missing class but still has the CVE. The final pom.xml snippet is:
<properties>
<maven.compiler.source>8</maven.compiler.source>
<maven.compiler.target>8</maven.compiler.target>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<logback.version>1.2.13</logback.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<artifactId>spring-boot-starter-logging</artifactId>
<groupId>org.springframework.boot</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>${logback.version}</version>
</dependency>
</dependencies>In summary, Spring Boot 2.7.x cannot natively support Logback 1.3.x due to incompatibilities with SLF4J 2.0.x. The practical solution is either to stay on Logback 1.2.x (accepting the remaining CVE) or upgrade the whole stack to Spring Boot 3.x, Logback 1.4.x, and JDK 11.
Java Tech Enthusiast
Sharing computer programming language knowledge, focusing on Java fundamentals, data structures, related tools, Spring Cloud, IntelliJ IDEA... Book giveaways, red‑packet rewards and other perks await!
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.