8 months on, US says Log4Shell will be around for “a decade or longer” – Naked Security

Remember Log4Shell?

It was a dangerous bug in a popular open-source Java programming toolkit called Log4jshort for “Logging for Java”, published by the Apache Software Foundation under a liberal, free source code license.

If you’ve ever written software of any sort, from the simplest BAT file on a Windows laptop to the gnarliest mega-application running on a whole rack of servers, you’ll have used logging commands.

From basic output such as echo "Starting calculations (this may take a while)" printed to the screen, all the way to formal messages saved in a write-once database for auditing or compliance reasons, logging is a vital part of most programs, especially when something breaks and you need a clear record of exactly how far you got before the problem hit.

The Log4Shell vulnerability (actually, it turned out there were several related problems, but we’ll treat them all as if they were one big issue here, for simplicity) turned out to be half-bug, half-feature.

In other words, Log4j did what it said in the manual, unlike in a bug such aa buffer overflow, where the offending program incorrectly tries to mess around with data it promised it would leave alone…

… But unless you had read the manual really carefully, and taken additional precautions yourself by adding a layer of careful input verification on top of Log4j, your software could come unstuck.

Really, badly, totally unstuck.

Related posts


Latest posts

Multiple Vulnerabilities Discovered in Device42 Asset Management Appliance

A series of vulnerabilities on the popular asset management platform Device42 could be exploited to give attackers full root access to the system, according...

Top 5 best backup practices

Give yourself peace of mind by implementing a new backup strategy with our tips....

Indian Power Sector targeted with latest LockBit 3.0 variant

Estimated reading time: 5 minutesAfter the infamous Conti ransomware group was disbanded, its former members began to target the energy and power sectors...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!