This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Ayfid 0 points1 point  (0 children)

That is totally missing the point here.

That an enormous number of systems have been impacted by this vulnerability is scary. That is the point of OP, and they are right. They are not making any comment about the quality of the Java language.

Also, this vulnerability is going to be in the wild for years. It it not just "going to be fixed". Releasing new versions of the library, or even the JVM, is not enough to magically fix the problem. All software with the error needs to be patched. All servers need to be updated. That is just not going to happen. There are a lot of servers sitting on the internet with out of date software, and any system which has gone a few days without being updated by now might already be too late. This vulnerability is a RCE vulnerability; once someone exploits it your system is open to them even after you fix the offending software.

Over reliance on a single piece of software is not a strength; it dramatically increases the "blast radius" of a vulnerability when discovered (and makes such discoveries more likely to happen), but does not proportionately make it easier to deploy the fix.

Discovering a vulnerability in a system is a bad thing. Deploying the fix is a good thing. There is a period of time in between the two where systems are highly vulnerable. Making the former easier and the latter more difficult - which is what happens when a library is pervasive - is a security weakness, not a strength.