Before the log4j shell issue happened last month I was using 'org.springframework.boot:spring-boot-starter-logging:1.5.22.RELEASE' which has internal dependencies on ch.qos.logback:logback-classic:1.1.11 and ch.qos.logback:logback-core:1.1.11 jars respectively.
After that log4j shell issue occurred I had upgraded both the jars to version ch.qos.logback:logback-classic:1.2.3 and ch.qos.logback:logback-core:1.2.3 with gradle v3.5 which works fine. Now when I am trying to upgrade jars to logback-classic:1.2.10 and logback-core:1.2.10, this stops me while running the application stating below error:
org.gradle.tooling.BuildException: Could not execute build using Gradle distribution 'https://services.gradle.org/distributions/gradle-3.5-all.zip'.
Do I need to move to higher version of Grails or Gradle 3.5 have any issue with upgrade. Please any hint or guidance is most welcome.
From https://logback.qos.ch/news.html
We note that the vulnerability mentioned in CVE-2021-42550 requires write access to logback's configuration file as a prerequisite. Please understand that log4Shell and CVE-2021-42550 are of different severity levels. In response to CVE-2021-42550 (aka LOGBACK-1591) we have decided to make the following steps. 1) Hardened logback's JNDI lookup mechanism to only honor requests in the java: namespace. All other types of requests are ignored. Many thanks to Michael Osipov for suggesting this change and providing the relvant PR. 2) SMTPAppender was hardened. 3) Temporarily removed DB support for security reasons. 4) Removed Groovy configuration support. As logging is so pervasive and configuration with Groovy is probably too powerful, this feature is unlikely to be reinstated for security reasons. We note that the aforementioned vulnerability requires write access to logback's configuration file as a prerequisite. Please understand that log4Shell/CVE-2021-44228 and CVE-2021-42550 are of different severity levels. A successul RCE attack with CVE-2021-42550 requires all of the following conditions to be met: write access to logback.xml use of versions < 1.2.9 reloading of poisoned configuration data, which implies application restart or scan="true" set prior to attack As an additional extra precaution, in addition to upgrading to logback version 1.2.9, we also recommend users to set their logback configuration files as read-only
For now no support for grails so v1.2.9 onwards logback is not supported for now.