Hi,

While working on PR#2142[1] I noticed that we have an
`a.o.l.l.core.parser` package that depends on Jackson.

Since Log4j itself never parses log events, I would propose to remove
it from `log4j-core` and optionally move it somewhere else (Chainsaw
or Flume?).

My main concern is vulnerability exposure:

 * I would like to prevent CVEs like CVE-2019-17571[2] from being
published against `log4j-core` in the future. Dealing with CVEs that
say "code that we never use is vulnerable to..." bring a lot of
useless PR/documentation work: we'll need to explain to users how to
mitigate a vulnerability that is almost never exploitable and our
users will also have to evaluate the exploitability of the CVE in
their own applications,
 * in some not so far future we'll need to publish VEX records to
comply with regulation. Every time Jackson will publish a
deserialization vulnerability, we'll need to state that we are
vulnerable.

What do you think?

Piotr

[1] https://github.com/apache/logging-log4j2/pull/2142
[2] https://www.cvedetails.com/cve/CVE-2019-17571/

Reply via email to