On Jackson, log4j/logback vulnerabilities: https://cowtowncoder.medium.com/jackson-is-not-affected-by-log4j-logback-cves-fdebf152057f
15 views
Skip to first unread message
Tatu Saloranta
Dec 19, 2021, 5:12:13 PM12/19/21
to jackson-user
Since I have received I few direct (off-mailing-list/off-twitter)
queries on this,
I decided to blog about it:
https://cowtowncoder.medium.com/jackson-is-not-affected-by-log4j-logback-cves-fdebf152057f
So, TL;DNR; -- Jackson is NOT vulnerable to any of CVEs that affect
log4j and logback. This is because Jackson does not do any direct
logging of its own, using either framework.
So for once there is a simple answer to a big question. :)
Happy Holidays,
-+ Tatu +-
queries on this,
I decided to blog about it:
https://cowtowncoder.medium.com/jackson-is-not-affected-by-log4j-logback-cves-fdebf152057f
So, TL;DNR; -- Jackson is NOT vulnerable to any of CVEs that affect
log4j and logback. This is because Jackson does not do any direct
logging of its own, using either framework.
So for once there is a simple answer to a big question. :)
Happy Holidays,
-+ Tatu +-
Mantas Gridinas
Dec 22, 2021, 12:26:14 PM12/22/21
to jackson-user
Praise Tatu for not imposing a particular logging facade as a transitive dependency.
Happy holidays to you too!
Reply all
Reply to author
Forward
0 new messages