back to article CISA issues emergency directive to fix Log4j vulnerability

The US government's Cybersecurity and Infrastructure Security Agency (CISA) on Friday escalated its call to fix the Apache Log4j vulnerability with an emergency directive requiring federal agencies to take corrective action by 5 pm EST on December 23, 2021. Log4j is a Java-based open source logging library used in millions of …

  1. Gene Cash Silver badge

    Ah, Java

    Write once, crash everywhere.

    1. stiine Silver badge

      Re: Ah, Java

      A different company has found another log4j bug other than the one that everyone's patching for, so its likely that we'll all be patching again before the end of the year...

    2. TheMeerkat Silver badge

      Re: Ah, Java

      You can’t blame the language for a third party library written in that language containing a stupid backdoor.

      1. Warm Braw

        Re: Ah, Java

        You can’t blame the language

        There are plenty of people who still blame programmers for buffer overflows in C.

        In this case, it isn't the language, per se, but JNDI: a pretty fundamental component of the "enterprise" applications framework and it's been the source of a string of exploits so it's clear where the finger should be pointing.

        1. Cederic Silver badge

          Re: Ah, Java

          Quite why Log4J chose to allow access to JNDI is more interesting, plus the failure to escape logging strings.

          This is not a language issue.

  2. man_iii

    Cuppa joe

    Its like how coffee lubricates more than just ease of use by also enabling attackers equal access to the systems

    Ive always wondered about syslog being better suited for logging even for apps rather than let the developers write their own logging code.

  3. martyn.hare
    Stop

    Remember folks

    Log4j 2.x is what’s impacted, not all those creaky old systems you forgot to patch running an ancient 1.2.x atop some random old Tomcat version!

    1. Aitor 1

      Re: Remember folks

      That is even more annoying.

      Our old, almost unsupported software is fine. The new stuff is what is affected.

      1. Matthew 25

        Re: Remember folks

        Surely it's good that all that old stuff that no one knows about isn't affected. Saves an awful lot of work.

    2. Anonymous Coward
      Anonymous Coward

      Re: Remember folks

      Yeah, but all that old log4j 1.x stuff probably has different issues of its own!

      1. Anonymous Coward
        Anonymous Coward

        Re: Remember folks

        As long as we understand unsupported means vendors no longer need to tell us

  4. amanfromMars 1 Silver badge

    If needs must, Global Operating Devices always provide Sponsoring States .... ???? ‽ !!!!!! :-)

    "Several state-sponsored groups are exploiting the flaw in the wild and making modifications to the Log4j exploit." .. said Felipe Tarijon, a malware analyst at AppGate, in an email to The Register.

    The Register may prefer to realise and speculate that the really novel news nowadays of internetional concern and traditional conventional security worry, is of flaws and the likes of 0day vulnerabilities being exploited and expanded upon by several stateless groups/virtual entities which have decided to support engaging nations, which is certainly not the same as a state-sponsored group, but can easily change to be so in order to enjoy and employ the obvious benefits/costs delivered in being touted as such.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like