Since I have received I few direct (off-mailing-list/off-twitter) queries on this, I decided to blog about it:
https://cowtowncoder.medium.com/jackson-is-not-affected-by-log4j-logback-cves-fdebf152057f So, TL;DNR; -- Jackson is NOT vulnerable to any of CVEs that affect log4j and logback. This is because Jackson does not do any direct logging of its own, using either framework. So for once there is a simple answer to a big question. :) Happy Holidays, -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10gOxDm5cf6X4ADaK0%3DG-_7icbJ1jtvDaAD47Wbtkc4QMA%40mail.gmail.com.
