We’re excited to report the results of a security audit of slf4j. Simple Logging Facade for Java, slf4j, is identified in the Harvard Census II results as one of the most widely-deployed logging frameworks. The security and supply chain review was facilitated by Open Source Technology Improvement Fund and carried out by Include Security.

The goal of security audits is to find vulnerabilities so they can be fixed before attackers exploit them, as well as to identify opportunities to harden a project’s implementation and processes to counter vulnerabilities in the future. Upon review, it was found that slf4j has a very small attack surface area and does not support post-processing of logging messages that may be cause for security concern, such as the log4j vulnerabilities published in 2021.

The results of the security audit are three (1 Low Risk, 2 Informational) findings, a documented threat model, and a Supply Chain Security review against SLSA. As a result of this review, slf4j, logback, and reload4j (a new fork of log4j 1.x with security fixes) are now reproducible builds, which substantially increases the difficulty of a supply-chain attack.

All findings identified through this security audit have been fixed and validated. See below for the full report. 

A huge thank you to Ceki Gülcü of slf4j for actively participating in the audit process. 

Special thanks to OpenSSF for supporting the work and to Google for funding the audit. 

Proactive security audits go a long way in detecting and fixing vulnerabilities. Everyone around the world depends on OSS, and we would love to do more security audits! If you’re interested in financially supporting this work, contact [email protected].

References:

Link to full report: https://ostif.org/wp-content/uploads/2022/07/OSTIF-2022-Q2-slf4j-Report-v2.pdf

Link to Open Software Security Foundation announcement: https://openssf.org/blog/2022/07/18/results-of-sigstore-and-slf4j-security-audits/