DOOOOOOOOOOOM: Log4J

**ladymuck** · 14 December 2021, 13:04

Surely this should be a DOOOOOOOOOOOM thread

**BigDataPro** · 14 December 2021, 13:08

Originally posted by ladymuck View Post

Surely this should be a DOOOOOOOOOOOM thread

It is now!

**Lance** · 14 December 2021, 13:56

too many companies finding out that they don't have a scooby doo what they're using and where it is.

It's not like log4j is part of an installed package, so most software inventories aren't aware of where it is.
And even updated and patched applications might not have updated and patched log4j

It's a bloody mess and I blame the programmers....

**jamesbrown** · 14 December 2021, 14:02

I blame all the weird crap that gets bolted onto otherwise simple implementations for "enterprise" reasons. "Oh, wouldn't it be cool if it could do this? Can we give you some money for it?" No, it wouldn't, no, don't bother.

**hobnob** · 14 December 2021, 14:37

In terms of inventory, I'll repeat my comment from another thread:
"Some people have argued that this demonstrates the need for SBOM (Software Build Of Materials). The idea is that each application would include a list of all the modules etc. that it uses, then you can search through the list in a situation like this rather than having to hunt around all the vendors websites. However, there's still an argument for testing each device/website to check whether it's affected."
What no atW/SE DOOM thread yet? - Contractor UK Bulletin Board

Also, a tip for anyone using Tenable software to scan for this: they've added a template, but it requires SSH/Windows authentication to work properly (even though the attack will work without authentication). My first scan (without authentication) said that everything was fine, even when I knew that certain software (e.g. vCenter) was vulnerable.

**NotAllThere** · 14 December 2021, 17:52

Build of materials? Is that right? I thought it was Bill of Materials.

**hobnob** · 14 December 2021, 19:28

Originally posted by NotAllThere View Post

Build of materials? Is that right? I thought it was Bill of Materials.

Based on a Google search, both terms are in use. "Bill" probably makes more sense (to match a "Bill of Materials" for non-software), but I think that "Build" is either a common typo or based on the process of building software from various components.

**eek** · 15 December 2021, 08:15

Originally posted by jamesbrown View Post

I blame all the weird crap that gets bolted onto otherwise simple implementations for "enterprise" reasons. "Oh, wouldn't it be cool if it could do this? Can we give you some money for it?" No, it wouldn't, no, don't bother.

Not quite - this is more, if we log things we can find out where things go wrong in the wild - and there is this library that does it for us.

The problem is that it often isn't the core program that is asking for the library it's some third or fourth party subroutine that is using the logging code.

**jamesbrown** · 15 December 2021, 10:15

Originally posted by eek View Post

Not quite - this is more, if we log things we can find out where things go wrong in the wild - and there is this library that does it for us.

The problem is that it often isn't the core program that is asking for the library it's some third or fourth party subroutine that is using the logging code.

I think you misunderstood my point. Have you seen log4j recently? It provides look-ups and bindings for all sorts of crap, like docker container names, liquibase bindings etc. etc. etc.

DOOOOOOOOOOOM: Log4J