- Joined
- Mar 17, 2020
Log4J exploit - Exploit found in popular Java library
- Thread starter killingmesoftly
- Start date
- Joined
- Aug 17, 2018
Why should it use one at all? What non-trivial log4j feature is crucial to a block placing game?
- Joined
- Jan 27, 2020
I'm a bit of a dumb cunt when it comes to modern computing (even BASIC without line numbers confuses the shit out of me), so the articles that have a clue about Log4j go over my head, and those that don't are making it sound like some sort of digital armageddon.
All I've been able to work out is that it's something to do with Java. Does this mean that if I don't have Java on my computer, I shouldn't have any problems? Or are there programs with Java in them that don't need Java installed?
All I've been able to work out is that it's something to do with Java. Does this mean that if I don't have Java on my computer, I shouldn't have any problems? Or are there programs with Java in them that don't need Java installed?
- Joined
- Apr 25, 2019
TLDR: This is a Grab Your Ankle's and Kiss Your Ass goodbye Event.
This vulnerability is rated a 10. That's twice this year that a Vulnerability has been rated a 10. You don't see 10's that often if ever.
This is one of those "DEF CON 1 PATCH ALL THE THINGS!" that has happened at work where there was a swarm of bridge calls with every goddamn major vendor demanding patches because we pay them hundreds of millions a year and we don't want to get fucked by this.
Everything from your goddamn refrigerator to your cell phone to major tech companies run Java. Application developers want to know when the button turns green, you login to the webapp, your decide to hit the block with your axe, you dial a phone number, they want a LOG to troubleshoot and record what the fuck goes on with your shit. LOGGING=GOOD.
This shit part of Log4j was supposed to be deprecated (phased out) years ago but Java devs were too scared that it would cause major shit storms so they left it in there. Now, here's what we got where your fucking Roomba is going to start sending DDOS to your router and your Kid's minecraft windows PC is about to join the botnet Collective. This is actively being exploited TODAY and this week it's going to catch on with the Kiddo's where you will see parts of the internet go dark.
If you don't have Information Security actively pouring themselves a fifth of everclear tonite to goto sleep they are in for a world of hurt.
If you have Java Installed on your computer (LOL uninstall minecraft you fuckwith) go update to the latest patch version on https://www.java.com/en/ . Auto update your shit or just uninstall java. You don't fucking need it.
This vulnerability is rated a 10. That's twice this year that a Vulnerability has been rated a 10. You don't see 10's that often if ever.
This is one of those "DEF CON 1 PATCH ALL THE THINGS!" that has happened at work where there was a swarm of bridge calls with every goddamn major vendor demanding patches because we pay them hundreds of millions a year and we don't want to get fucked by this.
Everything from your goddamn refrigerator to your cell phone to major tech companies run Java. Application developers want to know when the button turns green, you login to the webapp, your decide to hit the block with your axe, you dial a phone number, they want a LOG to troubleshoot and record what the fuck goes on with your shit. LOGGING=GOOD.
This shit part of Log4j was supposed to be deprecated (phased out) years ago but Java devs were too scared that it would cause major shit storms so they left it in there. Now, here's what we got where your fucking Roomba is going to start sending DDOS to your router and your Kid's minecraft windows PC is about to join the botnet Collective. This is actively being exploited TODAY and this week it's going to catch on with the Kiddo's where you will see parts of the internet go dark.
If you don't have Information Security actively pouring themselves a fifth of everclear tonite to goto sleep they are in for a world of hurt.
If you have Java Installed on your computer (LOL uninstall minecraft you fuckwith) go update to the latest patch version on https://www.java.com/en/ . Auto update your shit or just uninstall java. You don't fucking need it.
- Joined
- Sep 9, 2020
I stayed late at work deleting the naughty versions of log4j from multiple machines. I hate Java forever now.
- Joined
- Feb 3, 2013
- Joined
- Sep 9, 2020
I honestly enjoyed Java until I was slightly inconvenienced today.
- Joined
- Nov 24, 2018
Mental Outlaw also made a video about it on the 10th:
EDIT:
Marcus Hutchins (Malware Tech), released a video today, as well:
EDIT:
Marcus Hutchins (Malware Tech), released a video today, as well:
Last edited:
Win98SE
kiwifarms.net
- Joined
- Feb 7, 2019
The developers googled "java logging library" years ago and clicked the first result. They didn't look into the features it offered, or if they did, they probably saw a laundry list of 50+ features and said, "Wow, this does a lot! Let's use it" and never questioned if they needed even 99% of what it offered.
A huge majority of Java programmers did the exact same thing and now we're facing one of the biggest tech clusterfucks in recent memory.
Bonesjones
kiwifarms.net
- Joined
- Jan 27, 2021
Doesn't that describe basically all coding at this point? Just find a library to do what I want, even if it takes 3 others to make it play right.
Cyberia Enjoyer
kiwifarms.net
- Joined
- Dec 14, 2021
Because logging saves you having your code full of println and err.println everywhere.
log4j acts as a background task to record operations, function calls, the stack, system time, network events and everything that is occurring so you can get a full blown system-wide understanding of events occurring during failures. It has saved me dozens of hours of programming figuring out bugs when I can just check the logger and see "thread execution failed because of this function call on this line with these network events occurring before and after this call".
It may seem stupid but it makes code 100x more readable at scale.
- Joined
- Apr 25, 2019
Any developer who does "the needful" will use Log4j because that's what The Googles said to use.
- Joined
- Jan 29, 2021
Cyberia Enjoyer
kiwifarms.net
- Joined
- Dec 14, 2021
the Java Virtual Machine can be bundled into executables and run without requiring someone to have the JVM installed.
You can run Minecraft without needing the JVM (because it's bundled into the executable). So yes you can still be vulnerable if any desktop application you run uses Java.
I think this is only a problem with the logger and not Java. The language has some fantastic use cases and despite all the jeet-ery and flak it gets, it's a fantastic language for building really safe and moderately fast applications that serve large scale endeavours.
- Joined
- Sep 9, 2020
- Joined
- Jul 30, 2021
someone posted this before, but i wanted to get a local copy of it for this board
https://twitter.com/gegy1000/status/1469714451716882434 [Archive]
https://twitter.com/gegy1000/status/1469714451716882434 [Archive]
- Joined
- Dec 15, 2020
I didn't hear about this until the IT team at my job lost their minds yesterday, begging everyone to run a script ASAP to update Log4j. I've looked into it and it looks bad, to say the least. I don't have the technological literacy to answer these questions, so if anyone here knows the answer, please, lend a hand:
1. What should I, someone who runs no java-based servers and sells no java-based software, be doing right now? Should I be purging every program that runs java from my PC? Is there anything I can do to avoid being compromised, or is that out of my control until there's an unexploited Log4j update? None of the techno-journos are putting solutions in terms that the technologically illiterate can understand, it seems like they're all just flexing their cybersecurity terminology instead.
2. If this is as bad as techno-journos are implying, where the fuck is the mainstream media coverage? If I were a journo, the front page would be filled with what this exploit is, why it took so long for it to be noticed, and how this will have negative ramifications for years to come. The fearmongering would bring in mountains of revenue. Are regular journos just too braindead to understand the severity, or am I the braindead one for overreacting?
3. Isn't this kind of damning for the security of open source that people gush about so much? This has been in the wild since 2013, and the vulnerability was only just reported now. It seems to me that a bad actor trying to distribute malware has way more incentive to look for vulnerabilities in open source software and keep quiet about it, while a good faith programmer gets no money from combing through open source software and can easily assume that someone else will find an issue. Doesn't common sense and the tragedy of commons suggest that open source software is more vulnerable than paid software developed by a company that will lose money if they get compromised?
1. What should I, someone who runs no java-based servers and sells no java-based software, be doing right now? Should I be purging every program that runs java from my PC? Is there anything I can do to avoid being compromised, or is that out of my control until there's an unexploited Log4j update? None of the techno-journos are putting solutions in terms that the technologically illiterate can understand, it seems like they're all just flexing their cybersecurity terminology instead.
2. If this is as bad as techno-journos are implying, where the fuck is the mainstream media coverage? If I were a journo, the front page would be filled with what this exploit is, why it took so long for it to be noticed, and how this will have negative ramifications for years to come. The fearmongering would bring in mountains of revenue. Are regular journos just too braindead to understand the severity, or am I the braindead one for overreacting?
3. Isn't this kind of damning for the security of open source that people gush about so much? This has been in the wild since 2013, and the vulnerability was only just reported now. It seems to me that a bad actor trying to distribute malware has way more incentive to look for vulnerabilities in open source software and keep quiet about it, while a good faith programmer gets no money from combing through open source software and can easily assume that someone else will find an issue. Doesn't common sense and the tragedy of commons suggest that open source software is more vulnerable than paid software developed by a company that will lose money if they get compromised?
- Joined
- Apr 27, 2015
Mutahar's gotta replace the battery in his smoke detector.
Frail Snail
kiwifarms.net
- Joined
- Sep 22, 2021
- Joined
- Jan 29, 2021
I don't know why you would even want to put a context lookup into a log message.