Maintaining, improving, and securing a Java logging library

Key facts

Investment Amount
Investment Year(s)
2023, 2024

Logback is one of the most widely used logging frameworks in the Java community and is deployed billions of times on servers, computers, and smartphones. Logging is the act of keeping track of events occurring in computer systems. It helps administrators and developers identify and track errors across all phases from development to operation of code. In the security context, logging is particularly important for early detection and tracking of system failures, cyberattacks or other events that can endanger a company, its data or its customers.

Why is this important?

Java remains a widely used programming languages internationally, and logging is a common function required in most programs. System administrators and programmers around the world embed logging libraries into data centers, enterprise servers, network technologies, and system components, making these libraries critical digital infrastructure in businesses and administrations. Therefore, when a security vulnerability exists in a logging library, it can have a very wide impact. This became a reality in 2021 when a critical vulnerability was discovered in the other widely used Java logging library Apache Log4j 2, called the log4shell.

Logback and Log4j 2 are both Java logging libraries, yet due to different architectural choices, they both have their advantages and drawbacks in certain situations. In order to reduce the likelihood of a similar scenario to log4shell occurring in the future, it’s important to invest in the maintainability of logging libraries at large, ensure ease of adoption, and offer a variety of implementations. That way, software developers can choose the right library for their situation and still be safe from vulnerabilities.

What are we funding?

STF is funding the logback maintainer Ceki Gülcü to continue to perform maintenance work, such as fixing bugs and vulnerabilities, and working on further improvements to the logback, SLF4J, and reload4j libraries. In addition, some work will be done to adapt logback to the latest version of the Java Development Kit and the GraalVM, a high performance Java virtual machine.

More technologies

All technologies