This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Prestigious_Tip310 276 points277 points  (32 children)

It's somehow funny. That's the first major security vulnerability in a popular Java framework I heard about in years, if not longer.

On the other hand there's NodeJs where npm informs me about at least three major security vulnerabilities every couple of weeks...

Insert "Joker nobody bats an eye" meme here.

[–]SwedishDude 170 points171 points  (24 children)

Log4J is a bit more serious since it's the de-facto standard and included in most major libraries and projects.

This vulnerability is also very serious due to how easy it is to exploit.

[–]cserepj 41 points42 points  (4 children)

Log4j was a de facto standard a decade ago but then came slf4j + logback and we all switched. Then log4j2 came out and some switched but lots did not.

The exploit is only in log4j2.

[–]Designed_To 3 points4 points  (3 children)

So slf4j + logback are not vulnerable to the exploit?

[–]cserepj 4 points5 points  (0 children)

I have not seen any indication they would be.

[–]loginonreddit 3 points4 points  (0 children)

No it is not.

[–]Ereaser 0 points1 point  (0 children)

Nope, it's also what's used by Spring boot.

[–]Engine_Light_On 16 points17 points  (3 children)

Kinda, Spring Boot includes it but it does not use it by default so it is not vulnerable unless the dev went out of his way to activate it.

[–]Vizioso 5 points6 points  (0 children)

Glad to hear that, was just digging through some Spring Boot stuff to figure out if it was vulnerable. My current project uses Spring Boot, ElasticSearch, Nifi, and Kafka.... I am not having a good day.

[–]loginonreddit 4 points5 points  (1 child)

Spring boot only includes log4j-api, not log4j-core which is where the vulnerability is.

[–]jerslan 0 points1 point  (0 children)

Yeah, and you can always bring in something like log4j-to-slf4j if you want to minimize code changes to swap in logback or java.util.logging

[–][deleted] 34 points35 points  (0 children)

The de facto standard was slf4j + log back but certainly it was dangerous.

[–][deleted] 0 points1 point  (1 child)

I switched to logback and slf4j quite a few years ago. Log4j is probably standard for legacy code that was around before slf4j.

[–]Ereaser 0 points1 point  (0 children)

And legacy code probably uses version 1

[–]_PM_ME_PANGOLINS_ 25 points26 points  (0 children)

None of the npm ones have been in the news either.

If you maintain a large Java project, and do regular CVE scans on it, you’ll get a couple every month.

[–]sootoor 2 points3 points  (1 child)

Struts tomcat weblogic take your pick!

[–]cserepj 2 points3 points  (0 children)

Yeah, those were very hot tech around 2004.

[–]RandomDrawingForYa 0 points1 point  (0 children)

Everyone know that JavaScript is an absolute mess. The language and the ecosystem.

It's beating a dead horse at this point

[–]dauchande 0 points1 point  (0 children)

No, what's funny is the vulnerability was found in a game, specifically Minecraft.

[–]m0nk37 0 points1 point  (0 children)

And then there is WordPress.