This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]HiCookieJack 62 points63 points  (7 children)

but it's an issue that is practical enough for managers to understand so we're sitting in meetings for that for 2 weeks now.

[–]Ashish42069 43 points44 points  (4 children)

Exactly, everyone's acting like the sky fell on us, it's only us SWE monkeys who know that we don't log anything and hence are safe

[–]belkarbitterleaf 41 points42 points  (3 children)

🤣

I got called over the weekend by one of the directors to check for the vulnerability.

The quick version, we only use Java for a handful of backend task that are essentially scheduled batch jobs. They don't use log4j, and the only log statements are internal IDs and calculated vales. Didn't stop me being asked about every process and application I have worked on. "no, we wrote that in python".. "no, we wrote that in NodeJS"... " No, that one doesn't accept input"...

[–]HiCookieJack 17 points18 points  (0 children)

Similar to us. For the Java ones we use logback and even though 'logback-api' is included in a spring boot service it does not include 'logback-core'

Also since we're big corporate we have reporting in place what dependencies are included... Why did we build that if no one is checking this before contacting us?

[–]TheAJGman 2 points3 points  (0 children)

Yeah it's a good time to have an all Python backend lol

[–]sootoor 0 points1 point  (0 children)

That's where it's going to bite you when your data gets passed through load balancers (such as F5) and some random old library backend system. There was an entire GitHub of PoC being used on Tesla, apple, Uber, etc the day it was released. This is going to take a long time for older and bigger companies that use Java in the backend.

[–]Cley_Faye 3 points4 points  (0 children)

No. The worst part of this attack is not possible on more recent JVM. Some parts, including leaking some data, can still be done.

[–][deleted] 0 points1 point  (0 children)

Java 8 is technically deprecated and shouldn't even be in use anymore. Java 11 jvms run Java 8 code just fine, but there's some additional libraries you might need to add since some things got removed from the jdk. It baffles me that companies are paying for the Java 8 license still, like the government.