My thoughts on Log4j

I’ve been a software developer for more or less 10 years, developed for native mobile, web, server apps, back-office apps, and mainstream apps.

I have seen many “wonders” created by developers, and also wrote my own “wonders” 🐒, it is inevitable.

by “wonders” i mean code that makes no sense and the world could be better without it

Here is an attack we received

The “Robust applications” 😅

I love it when I see developers or even software engineers, explaining their software is robust because they have used the X library built by Y…

Well my dear colleagues, adding “robust” libraries to your software, especially on your microservice, is not going to make your application better, just heavier and dependent on someone else work and goodwill to maintain it.

Adding dependencies will just create technical debt to your application.

My absolute favorites are the Java hardcore developers. In their minds, there is JAVA and nothing else.

Now don’t get me wrong, i think java is a great language and brought us the most of the services that we use today. But is not what many advocate about it.

I have seen developers adding all kinds of libraries to small software for all kinds of reasons.
Like log4j, because log4j gives us free log information about our application, log timestamp, the thread that it was working on, and so on…
But my question is: Do you need it?

The bloatware

The majority of libraries have other dependencies, libraries that use other libraries. What you are doing is losing control of your application, with software that you don’t maintain.

In a NodeJs app, if we have a look into the node_modules folder, we see hundreds of folders🤯 . 90% of those libraries are sub dependencies, and most of us never look inside that folder.

We see libraries like isBoolean, isString, array-flatten, camelcase, cameless, decamelize, isBuffer, isPromise

Let’s have a look at the isPromise code

Really, for 1 line of code, you are adding an entire library?
Can’t you just copy that line of code and used it?

Now you are dependant on a library, that is maintained by a stranger.

And NodeJs is not the only one affected by this nonsense, Java has the same problem, just go to the home/.m2 or home/.gradlefolder and admire the madness.

Everyone language suffers from this orgy of dependencies.


Ohhh, let’s talk about the elephant in the room.

Many developers have asked: “why does the log4j need the ability to make a call to a server and download java code and execute that code?”

My question is why do you need log4j?

Using system.out.println it is thread blocking, but it can be called asynchronously with just a few lines of code. This alone can not be the reason to add a log4j.

If you are writing a desktop application, I can understand using some advanced logging.
If you are maintaining an old monolith, yeah it all makes sense.

But if you are writing microservices on a cloud, why?

If you need to trace data flow with the thread that is running on in production, you are writing bad software.
You should have unit tests that ensure this.

Need to know the instance that is consuming, processing, and producing data?
The cloud does that for you for free.

Fancy timestamp?
come on, you are writing tens of thousands of lines of code, are you telling me you need log4j to create a timestamp and put it into a string?


You see, secure software is close to impossible to write.

We have made giant steps into making software more reliable, and more secure.

The more code our application has, the more privileges it needs and more options for bugs to form.

Some are advocating that proprietary software could mitigate security issues.
I think proprietary software is even worse, because a skilled hacker could always find a way in, and never share the vulnerability. A company could be vulnerable for years, or even more before someone noticed.

Others, me as well, advocate that opensource is better since everyone (blackhat whitehat) can check the code for bugs or vulnerabilities.
A white hat most definitely will let the owner know that there is something wrong, while a black hat will try to take advantage of that vulnerability before anyone else will notice it.

For security, we could talk for hours and never manage to get to a decisive point or strategy.

My 2 cents

Is fine to use libraries to make our life easier, but we should do it with a bit of responsibility.

Import just what you need, and since is open source, in case of isPromise just copying that line in your code, don’t import the entire lib, avoid chaos as much as possible. Later on, you will notice a lighter and more performant application.

Use and implement what that specific application needs, don’t add code or dependencies just to make the application look more complex than it is.

Edit 22/12/2021 for comments guys

Dependencies are dangerous, every application needs to limit the number of dependencies, especially if are open-source and you have never examined them.

You may be like:

come on Brainless, this library is being used by FANG companies, this is secure, is well written, is stable, is rock solid, blah, blah, blah…

My answer to this argument is:

Yes, so it was a lib called log4j, used by everyone since 1999 and also by fang FANG. And the vulnerability that has been found has been introduced in 2014.

Thank you for reading and as always,
If you enjoyed please leave a few claps 👏👏👏
As it helps me a lot.

Have a lovely day.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store