https://github.com/spring-projects/spring-boot/blob/2.6.x/spring-boot-project/spring-boot-starters/spring-boot-starter-logging/build.gradle#L9
jboss:
https://github.com/jboss-logging/jboss-logging/blob/master/src/main/java/org/jboss/logging/LoggerProviders.java#L83-L88
Comment From: snicoll
It is unclear if you're reporting this against the Log4J CVE or not.
Regardless, our starter brings the slf4j bridge for log4j2. This doesn't bring log4j-core itself and, without it, the line in the second link will throw an exception.
Comment From: fantasy0v0
https://github.com/jboss-logging/jboss-logging/blob/43da19f54d1e965710c45bb0ad4da6572f8c20f0/src/main/java/org/jboss/logging/LoggerProviders.java#L94-L100
should actually use Slf4jLoggerProvider, but because of spring-boot-starter-logging dependency on org.apache.logging.log4j:log4j-to-slf4j, resulting in the use of Log4j2LoggerProvider
Comment From: snicoll
@fantasy0v0 you keep quoting JBoss code in this issue tracker and I am not really sure what problem you are trying to report, really. Our default logging infrastructure is as such that logs are redirected to slf4j if necessary to Logback. so adding the slf4j bridge for log4j2 is intentional.
As far as I can see, use of JBoss logging in your app is going to use the slf4j bridge for log4j2 due to the code above. And that should route to whatever was configured as the main logging library (Logback by default).
To reiterate again, in case you're reporting this due to the recent Log4j CVE, if you don't have log4j-core on the classpath, you're not affected.