Why Logback 1.2.7 Is Vulnerable and How to Safely Upgrade

Background

Following the high‑profile Log4j vulnerability, many developers assumed switching to Logback would avoid similar risks, only to discover a new Logback flaw that also permits remote code execution.

Vulnerability Details

Logback versions lower than 1.2.9 are affected by CVE‑2021‑42550 . An attacker who can modify logback.xml, runs a vulnerable Logback version, and either restarts the application or sets scan=true can inject malicious LDAP configuration and execute arbitrary code.

Permission to edit logback.xml Logback version < 1.2.9

Application restart or scan=true before the attack

The official announcement rates the vulnerability as MEDIUM , explicitly stating it is less severe than the Log4j issue (CVE‑2021‑44228).

Mitigation

Upgrade Logback to version 1.2.9 or later and configure the Logback file as read‑only. For Spring Boot projects, versions prior to 2.5.8 and 2.6.2 still depend on vulnerable Logback. Update the logback.version property in pom.xml as follows:

<properties>
    <java.version>1.8</java.version>
    <logback.version>1.2.9</logback.version>
</properties>

Conclusion

Although the Logback issue is rated only medium severity, it underscores the necessity of continuously monitoring framework release notes for security patches. Regularly checking official changelogs and reviewing code differences between versions helps developers quickly identify and remediate vulnerabilities.