18 votes

Log4Shell: RCE 0-day exploit found in log4j2, a popular Java logging package

8 comments

  1. [3]
    petrichor
    Link
    This is a really, really bad bug. What a way to end 2021.

    This is a really, really bad bug.

    What a way to end 2021.

    9 votes
    1. [2]
      admicos
      Link Parent
      There's still 20 days to discover something much worse!

      There's still 20 days to discover something much worse!

      9 votes
      1. whbboyd
        Link Parent
        There's surprisingly little room for "much" worse IMO, lol. Maybe if someone finds a trivial ring-0 RCE in the Linux TCP stack…?

        There's surprisingly little room for "much" worse IMO, lol. Maybe if someone finds a trivial ring-0 RCE in the Linux TCP stack…?

        6 votes
  2. [4]
    whbboyd
    Link
    So, who else got to spend this morning plumbing the depths of the dependency trees of their employer's entire software suite? ;) Pretty much all my colleagues were affected by this; I'd bet this...

    So, who else got to spend this morning plumbing the depths of the dependency trees of their employer's entire software suite? ;) Pretty much all my colleagues were affected by this; I'd bet this issue hits some 90% of the world's organizations, and probably nearly 100% of orgs big enough to have software developers on staff.

    (I got lucky: our logging backend of choice is slf4j-simple, I only found one place log4j had snuck in anyway, and it wasn't accessible to untrusted data. I ripped it out anyway, but it was a "while I'm looking at it" thing, not a panicked emergency fix.)

    (While I've always thought log4j was massively overengineered crap, now I have a clear and substantial consequence to point to, so at least there's that!)

    8 votes
    1. stu2b50
      Link Parent
      I'm not on infra so I just mostly sat around and occasionally did things infra teams wanted us to do while they scrambled to track all the log4j dependencies. All the Jetbrains products evidently...

      I'm not on infra so I just mostly sat around and occasionally did things infra teams wanted us to do while they scrambled to track all the log4j dependencies.

      All the Jetbrains products evidently use log4j too, so that was locked until they could push an update to everyone.

      3 votes
    2. [2]
      teaearlgraycold
      Link Parent
      If it affects me it’s because of a SaaS we use. So nothing for me to do. You might be overestimating the amount of software companies that work with Java.

      If it affects me it’s because of a SaaS we use. So nothing for me to do.

      You might be overestimating the amount of software companies that work with Java.

      2 votes
      1. whbboyd
        Link Parent
        It's certainly possible! Java and the JVM are definitely very widespread, but definitely not universal, and I don't know exactly what the distribution is. On the other hand, I imagine there are...

        It's certainly possible! Java and the JVM are definitely very widespread, but definitely not universal, and I don't know exactly what the distribution is.

        On the other hand, I imagine there are plenty of orgs like yours which are affected because of packaged software based on the JVM, even if their developers wouldn't touch Java with a twenty-foot pole, or if they have no software devs on staff at all. Even though the only thing to do is wait for your vendor, you're still affected.

        4 votes