Bad things come in threes: Apache reveals another Log4J bug The Apache Software Foundation (ASF) has revealed a third bug in its Log4 Java-based open-source logging library Log4j. CVE-2021-45105 is a 7.5/10-rated infinite recursion bug that was present in Log4j2 versions 2.0-alpha1 through 2.16.0. The fix is version 2.17.0 of Log4j. That’s the third new version of the tool in the last …
There are a lot of options for not using Log4J. Start with SLF4J as an API then pick a good implementation that's not Log4J.
You can even write your own implementation for java.util.logging or SLF4J when use cases demand it. It's a couple days of work. (Absolutely never blocking was a case for me. Most loggers can block for disk I/O or semaphores.)
Oh yes, I was told I had to do emergency patching for some legacy software I support but I pointed out it uses a version below 2.0 so was fine thank you very much and once again was better/safer than the modern and vibrant products brought in 'to replace it'.
I would go on a rant now about how every reason used to justify the 6 year multi-million project to do the replacement has been proven to be complete garbage but this is El Reg, we all know how this goes and why people need these major projects on their CV. If the company want to spend millions more every year on licenses for the multiple new products rather than learning how to use the one which was perfectly capable of doing everything they needed that is not my call.
Anon because someone out their may be taking a break from tearing out their hair although they may still work out who I am....Meh
Wait, are you saying you are proudly using unsupported dependencies which are likely to have further unknown vulnerabilities? And you think this is a good thing right? Interesting. Infosec is not amused.
P.s. agree ASF projects are a bloated mess, which makes them inherently more likely to introduce bugs like this. However, not a sufficient reason to ignore the basics. If you don't trust the package replace it with something simpler you can audit, don't just sit on an old version and pretend everything is fine.
This is just one of the many bad things that happen when you forget to simplicate and add lightness.
Just write to STDOUT ffs.
Disclosure, at $WORK we use log4perl which is inspired by this shite. I've never met anybody who can create a config for it as opposed to tweaking an existing (huge) file. I frequently find my diagnostic information has been spirited away to dog knows where. /rant
This post has been deleted by its author
This layer upon layer problem reminds me of when I was a kid, and dad was redecorating a room in our Victorian semi. There were multiple layers of wallpaper, some of which had also been varnished or painted, so dad decided to strip the lot off. This took the entire family days to achieve, and when completed revealed a strange crack in the plaster. Yours truly started poking around, and a large lump came away. Rather than getting a mouthful of abuse, noticed dad had gone very pale and silent - all the layers of crap had hidden rampant dry rot!
I had something similar, when I bought my house and stripped the wallpaper in the living room there were 17 layers and the reason the last layer was woodchip wallpaper. It took weeks to get that off before the walls could be repainted.
Mind you the hall / stairs under more layers of wallpaper were painted dark green. That had to come off as well….
I never understood why, when people have the choice between highly secure quality products from the likes of Microsoft, Apple, Oracle et al. vs. software that has come from who knows where and contains who knows what, they choose the latter with depressingly predictable results.
When will people realise that these big corporations are successful because they attract the best people, pay them properly then put literally zero barriers between their typing and total excellence? I know that once my data is in an American Oracle database running on American Windows then that's where my data will stay. That's how trust is built. If you run Windows then you're packing tight and no-one's going to ravage your data. I literally can't remember the last time anyone discovered a flaw in Windows, Oracle, Apple. Therefore it just doesn't happen.
Open source projects simply cannot work and should not be used for anything more critical than a "hello Texas!" test app. The log4j fiasco, that has probably resulted in the Russians corrupting our youth into communism, socialism and bestiality, has proven this unequivocally and it's typical that under the trembling liver-spotted hands of near-corpse Biden, America has bent over and demanded communism and socialism DPs us, film the results and put the film out there for the world to laugh at us. Search "Liberal America has been literally DPd by communists" to see what I mean. And don't get me started on Linux because if anything caused covid, Linux did.
We need to take back control, and use only trusted and paid for US-written software and leave log4j to the Chinese. I hope The Register will do its bit to fix all this. As the old Texas saying goes: "Shoot your neighbour before he violates your dog."
I recommend you do exactly that. Never ever again use a bit of open source software for you personally or for the good state of Texas.
That will show us "commies" and "libtards" what we need to know and make your IT run smoothly on "highly secure quality products from the likes of Microsoft, Apple, Oracle". I do especially recommend the latter.
Yeah, while it was blatantly over the top and dripping sarcasm from every space between each word...
...in this day and age it closely resembles the sort of bollocks that some outlets are trying to pass off as "news".
It probably doesn't bode well for the future that it's getting so hard to tell the difference between reality and mockery. But thumb up, because it was a good one.
(small voice: it was taking the piss, right?)
This post has been deleted by its author
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
