Eduardo Bueno wrote:That is log4j 1.2. It was not affected by the vulnerability. Only Log4j version 2 is affected.
True, but Log4J 1 has been EOL for years already, and has its own vulnerabilities. I think that you're still safe as long as you don't use a JMS or SMTP appender.
Anyways, slf4j-log4j12 has only one simple task - provide an SLF4J implementation backed by Log4J 1. If you don't want to include Log4J 1, excluding it from slf4j-log4j12 is not the way to go. That's just NoClassDefFoundErrors waiting to happen. Instead, just remove the entire slf4j-log4j12 dependency. I'd replace it with another implementation, like logback-classic or slf4j-jdk14, otherwise you won't have any logging at all.