So, who else got to spend this morning plumbing the depths of the dependency trees of their employer's entire software suite? ;) Pretty much all my colleagues were affected by this; I'd bet this...
So, who else got to spend this morning plumbing the depths of the dependency trees of their employer's entire software suite? ;) Pretty much all my colleagues were affected by this; I'd bet this issue hits some 90% of the world's organizations, and probably nearly 100% of orgs big enough to have software developers on staff.
(I got lucky: our logging backend of choice is slf4j-simple, I only found one place log4j had snuck in anyway, and it wasn't accessible to untrusted data. I ripped it out anyway, but it was a "while I'm looking at it" thing, not a panicked emergency fix.)
(While I've always thought log4j was massively overengineered crap, now I have a clear and substantial consequence to point to, so at least there's that!)
I'm not on infra so I just mostly sat around and occasionally did things infra teams wanted us to do while they scrambled to track all the log4j dependencies. All the Jetbrains products evidently...
I'm not on infra so I just mostly sat around and occasionally did things infra teams wanted us to do while they scrambled to track all the log4j dependencies.
All the Jetbrains products evidently use log4j too, so that was locked until they could push an update to everyone.
If it affects me it’s because of a SaaS we use. So nothing for me to do. You might be overestimating the amount of software companies that work with Java.
If it affects me it’s because of a SaaS we use. So nothing for me to do.
You might be overestimating the amount of software companies that work with Java.
It's certainly possible! Java and the JVM are definitely very widespread, but definitely not universal, and I don't know exactly what the distribution is. On the other hand, I imagine there are...
It's certainly possible! Java and the JVM are definitely very widespread, but definitely not universal, and I don't know exactly what the distribution is.
On the other hand, I imagine there are plenty of orgs like yours which are affected because of packaged software based on the JVM, even if their developers wouldn't touch Java with a twenty-foot pole, or if they have no software devs on staff at all. Even though the only thing to do is wait for your vendor, you're still affected.
This is a really, really bad bug.
What a way to end 2021.
There's still 20 days to discover something much worse!
There's surprisingly little room for "much" worse IMO, lol. Maybe if someone finds a trivial ring-0 RCE in the Linux TCP stack…?
So, who else got to spend this morning plumbing the depths of the dependency trees of their employer's entire software suite? ;) Pretty much all my colleagues were affected by this; I'd bet this issue hits some 90% of the world's organizations, and probably nearly 100% of orgs big enough to have software developers on staff.
(I got lucky: our logging backend of choice is slf4j-simple, I only found one place log4j had snuck in anyway, and it wasn't accessible to untrusted data. I ripped it out anyway, but it was a "while I'm looking at it" thing, not a panicked emergency fix.)
(While I've always thought log4j was massively overengineered crap, now I have a clear and substantial consequence to point to, so at least there's that!)
I'm not on infra so I just mostly sat around and occasionally did things infra teams wanted us to do while they scrambled to track all the log4j dependencies.
All the Jetbrains products evidently use log4j too, so that was locked until they could push an update to everyone.
If it affects me it’s because of a SaaS we use. So nothing for me to do.
You might be overestimating the amount of software companies that work with Java.
It's certainly possible! Java and the JVM are definitely very widespread, but definitely not universal, and I don't know exactly what the distribution is.
On the other hand, I imagine there are plenty of orgs like yours which are affected because of packaged software based on the JVM, even if their developers wouldn't touch Java with a twenty-foot pole, or if they have no software devs on staff at all. Even though the only thing to do is wait for your vendor, you're still affected.
Related:
Apache's security log
CVE 10.0 issued
GitHub Advisory