DOOOOOOOOOOOM: Log4J

Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

xoggoth replied

16 December 2021, 11:22
Originally posted by ladymuck View Post

Surely this should be a DOOOOOOOOOOOM thread

It was! I doomed it!

https://forums.contractoruk.com/gene...hread-yet.html
Leave a comment:
jamesbrown replied

15 December 2021, 10:15
Originally posted by eek View Post

Not quite - this is more, if we log things we can find out where things go wrong in the wild - and there is this library that does it for us.

The problem is that it often isn't the core program that is asking for the library it's some third or fourth party subroutine that is using the logging code.

I think you misunderstood my point. Have you seen log4j recently? It provides look-ups and bindings for all sorts of crap, like docker container names, liquibase bindings etc. etc. etc.
Leave a comment:
eek replied

15 December 2021, 08:15
Originally posted by jamesbrown View Post

I blame all the weird crap that gets bolted onto otherwise simple implementations for "enterprise" reasons. "Oh, wouldn't it be cool if it could do this? Can we give you some money for it?" No, it wouldn't, no, don't bother.

Not quite - this is more, if we log things we can find out where things go wrong in the wild - and there is this library that does it for us.

The problem is that it often isn't the core program that is asking for the library it's some third or fourth party subroutine that is using the logging code.
Leave a comment:
hobnob replied

14 December 2021, 19:28
Originally posted by NotAllThere View Post

Build of materials? Is that right? I thought it was Bill of Materials.

Based on a Google search, both terms are in use. "Bill" probably makes more sense (to match a "Bill of Materials" for non-software), but I think that "Build" is either a common typo or based on the process of building software from various components.
Leave a comment:
NotAllThere replied

14 December 2021, 17:52
Build of materials? Is that right? I thought it was Bill of Materials.
Leave a comment:
hobnob replied

14 December 2021, 14:37
In terms of inventory, I'll repeat my comment from another thread:
"Some people have argued that this demonstrates the need for SBOM (Software Build Of Materials). The idea is that each application would include a list of all the modules etc. that it uses, then you can search through the list in a situation like this rather than having to hunt around all the vendors websites. However, there's still an argument for testing each device/website to check whether it's affected."
What no atW/SE DOOM thread yet? - Contractor UK Bulletin Board

Also, a tip for anyone using Tenable software to scan for this: they've added a template, but it requires SSH/Windows authentication to work properly (even though the attack will work without authentication). My first scan (without authentication) said that everything was fine, even when I knew that certain software (e.g. vCenter) was vulnerable.
Leave a comment:
jamesbrown replied

14 December 2021, 14:02
I blame all the weird crap that gets bolted onto otherwise simple implementations for "enterprise" reasons. "Oh, wouldn't it be cool if it could do this? Can we give you some money for it?" No, it wouldn't, no, don't bother.
Leave a comment:
Lance replied

14 December 2021, 13:56
too many companies finding out that they don't have a scooby doo what they're using and where it is.

It's not like log4j is part of an installed package, so most software inventories aren't aware of where it is.
And even updated and patched applications might not have updated and patched log4j

It's a bloody mess and I blame the programmers....
Leave a comment:
BigDataPro replied

14 December 2021, 13:08
Originally posted by ladymuck View Post

Surely this should be a DOOOOOOOOOOOM thread

It is now!
Leave a comment:
ladymuck replied

14 December 2021, 13:04
Surely this should be a DOOOOOOOOOOOM thread
Leave a comment:
BigDataPro started a topic DOOOOOOOOOOOM: Log4J

14 December 2021, 12:54
DOOOOOOOOOOOM: Log4J

Businesses all over the world are scrambling to fix the recent Log4J vulnerability. Client has postponed a Prod deployment that was supposed to happen today.

https://thehackernews.com/2021/12/ex...erability.html

Log4j: Serious software bug has put the entire internet at risk | New Scientist

Attacks exploiting the bug, known as Log4Shell attacks, have been happening since 9 December

Last edited by BigDataPro; 14 December 2021, 13:07.
Tags: None