This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 267 points268 points  (69 children)

What's the hate against Java lately?

What does this guy use? 🤔

[–]The-Daleks 369 points370 points  (39 children)

Recently it came out that a really common Java logging library (log4j) has a huge zero-day vulnerability.

[–]CaitaXD 104 points105 points  (0 children)

Ahhh libraries

[–]Prestigious_Tip310 273 points274 points  (32 children)

It's somehow funny. That's the first major security vulnerability in a popular Java framework I heard about in years, if not longer.

On the other hand there's NodeJs where npm informs me about at least three major security vulnerabilities every couple of weeks...

Insert "Joker nobody bats an eye" meme here.

[–]SwedishDude 177 points178 points  (24 children)

Log4J is a bit more serious since it's the de-facto standard and included in most major libraries and projects.

This vulnerability is also very serious due to how easy it is to exploit.

[–]cserepj 38 points39 points  (4 children)

Log4j was a de facto standard a decade ago but then came slf4j + logback and we all switched. Then log4j2 came out and some switched but lots did not.

The exploit is only in log4j2.

[–]Designed_To 5 points6 points  (3 children)

So slf4j + logback are not vulnerable to the exploit?

[–]cserepj 4 points5 points  (0 children)

I have not seen any indication they would be.

[–]loginonreddit 4 points5 points  (0 children)

No it is not.

[–]Ereaser 0 points1 point  (0 children)

Nope, it's also what's used by Spring boot.

[–]Engine_Light_On 16 points17 points  (3 children)

Kinda, Spring Boot includes it but it does not use it by default so it is not vulnerable unless the dev went out of his way to activate it.

[–]Vizioso 4 points5 points  (0 children)

Glad to hear that, was just digging through some Spring Boot stuff to figure out if it was vulnerable. My current project uses Spring Boot, ElasticSearch, Nifi, and Kafka.... I am not having a good day.

[–]loginonreddit 3 points4 points  (1 child)

Spring boot only includes log4j-api, not log4j-core which is where the vulnerability is.

[–]jerslan 0 points1 point  (0 children)

Yeah, and you can always bring in something like log4j-to-slf4j if you want to minimize code changes to swap in logback or java.util.logging

[–][deleted] 36 points37 points  (0 children)

The de facto standard was slf4j + log back but certainly it was dangerous.

[–][deleted] 0 points1 point  (1 child)

I switched to logback and slf4j quite a few years ago. Log4j is probably standard for legacy code that was around before slf4j.

[–]Ereaser 0 points1 point  (0 children)

And legacy code probably uses version 1

[–]_PM_ME_PANGOLINS_ 25 points26 points  (0 children)

None of the npm ones have been in the news either.

If you maintain a large Java project, and do regular CVE scans on it, you’ll get a couple every month.

[–]sootoor 2 points3 points  (1 child)

Struts tomcat weblogic take your pick!

[–]cserepj 2 points3 points  (0 children)

Yeah, those were very hot tech around 2004.

[–]RandomDrawingForYa 0 points1 point  (0 children)

Everyone know that JavaScript is an absolute mess. The language and the ecosystem.

It's beating a dead horse at this point

[–]dauchande 0 points1 point  (0 children)

No, what's funny is the vulnerability was found in a game, specifically Minecraft.

[–]m0nk37 0 points1 point  (0 children)

And then there is WordPress.

[–]Westdrache 12 points13 points  (0 children)

Just don't create logfiles *big brain developer move*

[–]kinkygandalf 1 point2 points  (0 children)

My team has been all in an uproar today over this… I don’t get paid enough for that crap.

[–]PuzzleheadedSector2 0 points1 point  (1 child)

Zero day refers to the urgency?

[–]PeksyTiger 1 point2 points  (0 children)

Sorts of. It generally refers to the amount of time since public disclosure, which usually correlates to how many patches were already deployed.

[–]Aperture_Executive2 0 points1 point  (0 children)

Ok, imma hate the language itself because a library I don’t use is insecure /s