Log4j - What are people seeing - anythign to report?

julian

@phenomlab Apparently the fix is not adequate, and the vulnerability is open again!

We don't touch anything related to java here, although who knows what other software we depend on uses... at the very least, NodeBB instances shouldn't be affected, unless they use Solr as their search engine.

gotwf

@julian said in Log4j - What are people seeing - anythign to report?:

unless they use Solr as their search engine

Ouch! Or maybe, Yikes!!

Heh, I have been meaning to experiment further w/Solr.

julian

@gotwf I think the new hotness is elasticsearch.

But you know what I want to play around with? https://typesense.org/

PitaJ

@julian there's also https://www.meilisearch.com/

cronlabspl

I agree with @phenomlab above: log4j is widely used and extremely popular. So it was only mattrer of time. This was fully .` to happen, thus not yet.

All ( or almost all ) of the so-called remedies out there is useless.

There is absolutely no need to use log4j; one can write own logger ( its not so hard ), or use built-in logging feature. Many frameworks ( php, python..... ) has one.

Here is what the simplest logger tads in JS

// Set log-text to, say, app name
let xii = {namespace}.appName;

// Log
Console.log(xii);

Above is 100% hack-proof

phenomlab

@macfan Agree with this, but the core issue here is software that comes prebundled with log4j - not so much self-developed code.

gotwf

@julian said in Log4j - What are people seeing - anythign to report?:

@gotwf I think the new hotness is elasticsearch.

But you know what I want to play around with? https://typesense.org/

I think not. Substitute "new" for "was" then I concur. Modern times methinks Opensearch will put many nails in their coffin.

Opensearch

GitHub Project Page

Wikipedia Page

Seems many, many thousands of end lusers are less than fond of the SSPL.

Be all that as it may, horses for courses. Each optimizes for slightly different niches. Each do so very well. Indeed.

Rock on!

gotwf

@pitaj said in Log4j - What are people seeing - anythign to report?:

@julian there's also https://www.meilisearch.com/

Looks interesting. Promising, even. Young, yet though, eh? Worth keeping a thumb on its pulse.

cronlabspl

@gotwf said in Log4j - What are people seeing - anythign to report?:

Wikipedia Page

Really?
Wiki sucks terrible on so many surfaces.......... Its not definite source for sure.

As of OpenSearch:: it seems that its near deprecation, so its no worthy mentioning.........although the code itself is of pretty good quality and can be reused in something bigger...........

Although I personally would use nothing that - in any point of time - has been touched by Mozilla ( former / current ) employee ( s )

gotwf

@macfan said in Log4j - What are people seeing - anythign to report?:

@gotwf said in Log4j - What are people seeing - anythign to report?:

Wikipedia Page

Really?
Wiki sucks terrible on so many surfaces.......... Its not definite source for sure.

Hence why it was only one of three cited links.

As of OpenSearch:: it seems that its near deprecation, so its no worthy mentioning.........although the code itself is of pretty good quality and can be reused in something bigger...........

Mayhaps I am confused but did not Amazon "donate" it to OpenSearch.Org?

Although I personally would use nothing that - in any point of time - has been touched by Mozilla ( former / current ) employee ( s )

I presume you are referencing millisearch here? I did not look at its origins.