I am using slf4j in my project with the following :
implementation "org.slf4j:slf4j-api:${versions.slf4japi}" (1.7.32)
implementation "org.slf4j:slf4j-simple:${versions.slf4jsimple}" (1.7.32)
I am really confused because I don't have the log4j-1.2.17.jar in my project but in common-logging I have this dependency :
<dependency>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
<version>1.2.17</version>
<optional>true</optional>
</dependency>
I am aware that they made a statement and I am nearly kind of sure that my project is concerned and I don't know how I can fix it ! Any help will be appreciated
First of all, as mentioned in the SLF4J post you have linked, Log4j 1 is not affected by CVE-2021-44228 (but is end of life and affected by other vulnerabilities). Additionally it is marked as optional dependency so by default not included when you depend on common-logging, see the POM Reference and Introduction to the Dependency Mechanism, which mentions this as well:
It may be helpful to think of optional dependencies as "excluded by default."