Ah, Java
Write once, crash everywhere.
The US government's Cybersecurity and Infrastructure Security Agency (CISA) on Friday escalated its call to fix the Apache Log4j vulnerability with an emergency directive requiring federal agencies to take corrective action by 5 pm EST on December 23, 2021. Log4j is a Java-based open source logging library used in millions of …
You can’t blame the language
There are plenty of people who still blame programmers for buffer overflows in C.
In this case, it isn't the language, per se, but JNDI: a pretty fundamental component of the "enterprise" applications framework and it's been the source of a string of exploits so it's clear where the finger should be pointing.
"Several state-sponsored groups are exploiting the flaw in the wild and making modifications to the Log4j exploit." .. said Felipe Tarijon, a malware analyst at AppGate, in an email to The Register.
The Register may prefer to realise and speculate that the really novel news nowadays of internetional concern and traditional conventional security worry, is of flaws and the likes of 0day vulnerabilities being exploited and expanded upon by several stateless groups/virtual entities which have decided to support engaging nations, which is certainly not the same as a state-sponsored group, but can easily change to be so in order to enjoy and employ the obvious benefits/costs delivered in being touted as such.