Docbop Posted December 14, 2021 Share Posted December 14, 2021 Seen this popping up in regular news to panic people and get ratings here's a Tech news explanation of what the Log4Shell and Log4j are about. Short version, it mainly affects web servers not anything a user can do. Quote Link to comment Share on other sites More sharing options...
Mighty Ferguson Posted December 14, 2021 Share Posted December 14, 2021 Unfortunately this has been dominating my work life since Friday. While true there's not anything a normal user can do, it's legitimately one of the worst vulnerabilities to come along in a long time due to the combination of being fairly easy to exploit, plus is a remote code vulnerability - meaning you can get a target server to run malicious code directly. It's got a vulnerability score of 10.0, the highest there is. The underlying Log4j component is present in lots of Java environments, even if it's not being used, so the impact is very wide. Web apps of all sorts are vulnerable, and so for a lot of companies it's a combination of fixing the ones coded in-house, plus waiting for the vendors for vulnerable off the shelf software to fix theirs. Quote "If you can't dazzle them with dexterity, baffle them with bullshit." Link to comment Share on other sites More sharing options...
GovernorSilver Posted December 14, 2021 Share Posted December 14, 2021 I do feel sympathy for former colleagues who may have had to work extra hours due to log4j. I've never seen log4j used to execute code. I'm sure the smartest peeps on the past Java-focused projects I worked on were aware of that feature, but we used log4j to.... just write to log files... and Java code to do what code does... how about that? If I were still working at my last job, I probably would have had a very busy last couple of days too. I now work with a team that develops software primarily with .NET C#. Coming from a Java background, I've had to deal with some learning curves, like how .NET handles logging compared to Java. Quote Link to comment Share on other sites More sharing options...
David Emm Posted December 14, 2021 Share Posted December 14, 2021 This crap makes me long for my old IBM Selectric. It woke the dead while in operation, but it never crashed. Quote "Well, the 60s were fun, but now I'm payin' for it." ~ Stan Lee, "Ant-Man and the Wasp" Link to comment Share on other sites More sharing options...
vonnor Posted December 15, 2021 Share Posted December 15, 2021 My current project is upgrading to v2.15 this week due to this finding. Quote Gear: Hardware: Nord Stage4, Korg Kronos 2, Novation Summit Software: Cantabile 3, Halion Sonic 3 and assorted VST plug-ins. Link to comment Share on other sites More sharing options...
Stokely Posted December 15, 2021 Share Posted December 15, 2021 That caused a pretty big stir over the weekend at work, various dev teams had to upgrade apps and integrations. I'm over on the database side of things, the world of development has left me in the dust over the past decade and a half (and to be fair, I was always just a web application scripter anyway). All the frameworks and dependencies and ORMs...not to mention the crazy front end which was what I was primarily fleeing from "But I wanted that special color of blue!" "er...we agreed on the exact color during the last meeting..." Kill me now if I ever have to work with front-end clients again. Quote Link to comment Share on other sites More sharing options...
mauriziodececco Posted December 15, 2021 Share Posted December 15, 2021 Ehm, this subject kept also my professional life busy this week (software security, or better, the lack of it, it what pay my salary every month). And finally i discovered that the real threat is the Minecraft server running at home on a Mac Mini, that i manage with my 15 years old son. Maurizio Quote Nord Wave 2, Nord Electro 6D 61,, Rameau upright, Hammond Pro44H Melodica. Too many Arturia, NI and AAS plugins http://www.barbogio.org/ https://barbogio.bandcamp.com/follow_me Link to comment Share on other sites More sharing options...
Mighty Ferguson Posted December 15, 2021 Share Posted December 15, 2021 My current project is upgrading to v2.15 this week due to this finding. Vonnor, there's yet another new CVE (DDoS vulnerability, not as severe) for 2.15. Plan to go straight to 2.16. Quote "If you can't dazzle them with dexterity, baffle them with bullshit." Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.