Jackson is not affected by log4j/logback CVEs

(because it does not use either logging framework)

TL;DNR;

Background: CVE-2021–44228

Jackson and Logging: no direct relationship

  • Due to existence of multiple logging APIs, library traditionally had to decide which one to use/support — while less of a problem these days (just use slf4j), this used to be a bigger challenge when Jackson started.
    Not using logging also removes the need for one or more external dependencies.
  • Logging framework configuration is a global concern, whereas configuration of a library like Jackson is much more localized: there may be multiple unrelated uses of Jackson by frameworks and service/application itself. It seemed difficult to come up with meaningful logging where there is no real context for execution (that is, it is hard to know how Jackson is being used and what kind of processing is “log-worthy”)
  • Almost all potential logging use cases for Jackson have been (or could be) better handled by an extension point which allows SOMETHING ELSE to handle responsibilities like logging — so Jackson in effect prefers handing over possible need for logging to however is in better position to do so.
  • Many logging use cases would, in general, be better handled by tracing, or metrics/statistics interfaces: logging systems allow printing out semi-formatted text, which for events is about the least convenient and useful way to do it. It seems much better to provide structured, contextual data, over printing out human-readable (but not very machine-processable) log lines.
  1. Jackson core does not use logging frameworks directly and there are no plans for it to do so in future.
  2. Jackson core should provide extension points to expose all pertinent information so that frameworks, applications and services may produce all log output of interest they desire.

Coda

--

--

Open Source developer, most known for Jackson data processor (nee “JSON library”), author of many, many other OSS libraries for Java, from ClassMate to Woodstox

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cowtowncoder

Open Source developer, most known for Jackson data processor (nee “JSON library”), author of many, many other OSS libraries for Java, from ClassMate to Woodstox