After the log4j zero-day vulnerability, we started to look if there are any more artifacts that are using either slf4J or lower versions of log4j.
Checking the mvn dependency tree we have figured that spring-security-saml2-core is using slf4j, and we tried to exclude that from the artifact. However, we are receiving the below runtime exception : -java.lang.NoClassDefFoundError: org/slf4j/LoggerFactory at org.opensaml.DefaultBootstrap.getLogger(DefaultBootstrap.java:246) at org.opensaml.DefaultBootstrap.initializeXMLSecurity(DefaultBootstrap.java:189) at
If you are referring to the CVE-2021-44228 vulnerability (aka. Log4Shell) then Slf4J is not the vulnerable library so you don't have to exclude it. Only Log4j-core is affected by this particular vulnerability for versions between 2 until before 2.15.0 See https://nvd.nist.gov/vuln/detail/CVE-2021-44228
There are other known vulnerabilities at the moment (and many that are still probably waiting to be discovered), as @eray-tufay points out. The example he gives is https://cve.report/CVE-2021-4104:
Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default
So, to be protected against current and future vulnerabilities: