back to article Sophos: Log4Shell would have been a catastrophe without the Y2K-esque mobilisation of engineers

Anti-malware outfit Sophos has weighed in on Log4Shell, saying that the galvanization of the IT world to avert disaster would be familiar to those who lived through the Y2K era. The Log4Shell vulnerability turned up in the common-as-muck Apache Log4j logging library late last year. As a remote code execution (RCE) flaw, …

  1. Anonymous Coward
    Anonymous Coward

    When you use a disorganised, unmaged language like JAVA that requires you to copy 100s of versions of the same class on a single asset instead of having one local respository.

    Why did Oracle not produce and APP to help customers manage the problem?

    No accountability for poor practices !!!!

    1. Nate Amsden Silver badge

      I've been working with developers building and managing SaaS type applications(web based) since 2003. My personal preference is java from an operations standpoint. It's just so much simpler. The polar opposite of that approach is things like node.js, dependency nightmare hell. PHP has been good and easy to manage as well. Ruby much less so. But Java, especially when it comes to things like Tomcat, works real well. I used Weblogic as well in the early days that was more messy/buggy.

      Certainly can't speak to how good each language is from a developer standpoint this is purely from an operations standpoint. And of course I really do hate it when developers are pulling in dependencies directly from the internet, such a bad practice. Mirror whatever dependencies you need on your internal network for better control/availability. It's been a standard practice for ops folks for 2+ decades but developers never seemed to care sadly, drives me mad. I remember spending a lot of time building tons custom RPM packages for ruby libraries back in 2007 for our servers, and fast forward 10+ years and the situation really hasn't changed, if anything it's gotten worse.

      I haven't seriously used log4j from an admin standpoint (as far as configuring it etc) since ~2006, but I really did like it at the time, very useful tool, loved the flexibility it had/has. Many apps I've used since I'm sure leveraged log4j but I haven't touched the configs of it since 2006.

    2. David 132 Silver badge

      >a disorganised, unmaged language like JAVA

      You're not counting the install wizard then?

    3. Anonymous Coward
      Anonymous Coward

      How much resource wasted cleaning up bad practice. !!!!

      its not the developers that are tasked with the cleanup, its the ops people having to search out bad practice of developers and fix it. Distracting ops from an already busy workload. Pushing back remediation of other open source generated vulnerabilities.

      Shame on you developers and Oracle !!!!!!!!!

  2. Anonymous Coward
    Anonymous Coward

    Stenberg also said: "No code I've ever been involved with or have my copyright use log4j and any rookie or better engineer could easily verify that."

    Easily verify? Unless Stenberg is willing to give said intern full and complete access to every aspect of his life, present and past, then no, its not. Stenberg better hope the intern brings extra lube.

    1. Pascal

      Or you know. Look at the dependencies.

      Or go with the lube if that's what you're into!

    2. emfiliane

      Obfuscated or not, it would take about ten seconds for any intern to decompile and search for a few common log4j strings.

  3. Robert Helpmann??
    Childcatcher

    ...the Log4Shell vulnerability has made it clear just how dependent some companies are on open-source components they don't even know about, don't contribute to or don't have a support contract for...

    So open source doesn't equate to freedom from contributing to and maintaining the health of the tools being used? There ain't no such thing as a free lunch!

  4. Anonymous Coward
    Anonymous Coward

    Curl

    Yikes. There is a non-zero chance that the email Daniel Stenberg received was from my company's information security department. It sounds about their speed.

  5. msobkow Silver badge

    You're seriously comparing a changing a couple of lines of a pom.xml file to what was involved with Y2K? *smh*

    1. Pascal

      Indeed. I would compare Log4j to sqlslammer, maybe?

      But not even 0.1% of the effort that happened to 'fix' Y2K.

      1. gnasher729 Silver badge

        I remember when I was a kid, I had to walk to and from school through meter deep snow, uphill both ways. On sandals, no socks. Of course Y2K was more effort in total. This was more _immediate_ effort, fix it asap.

        1. Pascal

          Right. "Immediate/urgent but also fairly simple".

          Which is why sqlslammer is a more apt comparison. That thing went around the world overnight and needed immediate attention (much more urgently than log4j in fact) but was solved with a patch or a firewall change.

    2. Robert Carnegie Silver badge

      Elsewhere, most of the "mobilisation of engineers" was to install the patched (then patched again) version of the software. And maybe then to check that the version number was the new version.

  6. TheMeerkat Bronze badge

    The problem is that next time a Chinese developers discovers such bug, they will inform their government first and it will be exploited before anyone would know.

    https://thehackernews.com/2021/12/china-suspends-deal-with-alibaba-for.html

  7. jvf

    I have a question

    Was thinking of studying Java.

    “…JAVA that requires you to copy 100s of versions of the same class on a single asset instead of having one local respository…”

    What does this mean? Is this true? If so, is it really a bad thing?

    Thanks

    1. emfiliane

      Re: I have a question

      It means someone, often many someones, are shit developers and architects. This is not uncommon in enterprise systems, and unfortunately, that's where Java is most popular and therefore you're most likely to find employment after studying it.

      There is an escape hatch: Several Java developers I've known have said "fuck it, I'm going to make an Android game instead, screw the corporate world."

      1. jvf

        Re: I have a question

        Not looking for a job and I hate gaming.

  8. Spanners Silver badge
    Boffin

    Not all the world said

    "The absence of a total IT meltdown left the rest of the world wondering, "well, was it as bad as all that?""

    I have heard statements like that from both muggles and the aggressively uninformable.

    People completely outside the IT world have an excuse but when I hear senior management making comments like that, I get quietly cross!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022