Now the patch needs patching. Don't you hate when that happens? https://arstechnica.com/information-technology/2021/12/patch-fixing-critical-log4j-0-day-has-its-own-vulnerability-thats-under-exploit/
On Wed, 22 Dec 2021, 17:21 Dan Cash, <dan.c...@gmail.com> wrote: > lol. > > > On Thu, 16 Dec 2021 at 18:13, Dr Greg Low <g...@sqldownunder.com> wrote: > >> I chuckled when I saw this again the other day: >> >> >> >> >> >> If only it wasn't true. >> >> >> >> Regards, >> >> >> >> Greg >> >> >> >> Dr Greg Low >> >> >> >> 1300SQLSQL (1300 775 775) office | +61 419201410 mobile >> >> SQL Down Under | Web: https://sqldownunder.com |About me: >> https://greglow.me >> >> >> >> *From:* ozdotnet-boun...@ozdotnet.com <ozdotnet-boun...@ozdotnet.com> *On >> Behalf Of *Greg Keogh >> *Sent:* Thursday, 16 December 2021 6:00 PM >> *To:* ozDotNet <ozdotnet@ozdotnet.com> >> *Subject:* [OT] log4j Internet Doom >> >> >> >> It's almost Friday ... >> >> >> >> Many of you might have read the blazing headlines everywhere that the >> whole Internet is about to crash because of a security vulnerability in >> log4j. I haven't written Java since early 2001, so I went looking for tech >> details. >> >> >> >> It turns out someone wrote an appender (in our log4net terms) that parsed >> a Uri out of a special bit of syntax, then blindly loaded and ran what was >> at the Uri. I mean, what could possibly go wrong? I think that this guilty >> JNDI appender is available by default, that is, it's in the JAR or >> something like that (I can't get further fine details on that). >> >> >> >> So it's a bit like *Aircrash Investigations* where it takes multiple >> things to go wrong and make a bigger wrong. >> >> >> >> Who could have imagined that a logging library would bring the Internet >> down?! >> >> >> >> *Greg* >> > > > -- > Dan Cash > -m. 0411 468 779 > -e. dan.c...@gmail.com > > F.A.B. Information Systems Pty Ltd ABN 16 084 146 261 > >
