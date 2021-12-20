 Skip to content
Fark's Headline of the Year 2021 Voting!

(The Register)   Log4J is like the 12 days of Christmas, and we're up to the three hackers hacking verse   (theregister.com) divider line
    More: Followup, Immune system, The Fix, Official, Arbitrary code execution, Software bug, Log4j2 versions 2.0-alpha1, VMware Verify, part of the wider VMware Workspace  
Merltech [TotalFark]
‘’ 33 minutes ago  
Just like plumbing, once you find one problem. You uncover more problems and by the time you are done, it's been gutted out and redone.
 
jaivirtualcard
‘’ 28 minutes ago  
Wow. That took me back all the way to 2003.

pacified
‘’ 27 minutes ago  
I like how freaked out my clueless manager is by all this.
 
bluenovaman [OhFark]
‘’ 22 minutes ago  
I'm so happy my applications don't use any of that.  The other teams around mine are all going nuts working through the weekend and nights updating then hearing oops we need a newer version...going through that to get the newer update again.
 
Somaticasual
‘’ 20 minutes ago  
So, can any IT farkers comment on whether this is a vulnerability in most WHM/cpanel installations, or is this vulnerability limited to specific applications using the Log4J logging library? (meaning - would someone managing the WHM installation have to install it, or is it loaded by default and thus subject to attack?)
 
FlippityFlap
‘’ 19 minutes ago  

pacified: I like how freaked out my clueless manager is by all this.


Depending on your exposure, he may well be right to be. I know my company is crapping their pants over possible exposure and java library dependency hell.  Fortunately, I am on the FW and hardware side of things, so I just get to watch.....
 
Randrew
‘’ 19 minutes ago  

pacified: I like how freaked out my clueless manager is by all this.


One of mine approached me last week "There's a really bad Java bug going around, is this a problem for us?"  I paused a moment, rejected the notion to explain to him what kind of systems it affected and why it didn't apply to us and instead told him, "I have check all our systems and the machines we've shipped and I confirm that it is not a problem for us."
 
jaivirtualcard
‘’ 19 minutes ago  

Somaticasual: So, can any IT farkers comment on whether this is a vulnerability in most WHM/cpanel installations, or is this vulnerability limited to specific applications using the Log4J logging library? (meaning - would someone managing the WHM installation have to install it, or is it loaded by default and thus subject to attack?)


Can you speak English please.

synithium
‘’ 17 minutes ago  
Dang.  Looks like if you didn't update to the latest version as suggested before, you'll have to update to the latest version as suggested now.
 
MilkusManus
‘’ 17 minutes ago  
Fark user imageView Full Size
 
MBooda
‘’ 16 minutes ago  
Open source gonna open source.
 
Creoena
‘’ 15 minutes ago  
I'm spending most of my afternoon patching applications that use log4j.  The security team doesn't seem bothered by it though.  Even proposing linking Mural with Jira though?  Security team goes nuts.
 
The Irresponsible Captain [TotalFark]
‘’ 12 minutes ago  
One of the problems is it's in a number of off-the-shelf solutions, like Websphere. We have a lot of people at work worried about it, but at least the firewall team is on top of things for now and most of the problem is mitigated in some fashion until we can get all the patches from vendors out.
 
TheSubjunctive
‘’ 9 minutes ago  
Fark user imageView Full Size
 
abbarach
‘’ 9 minutes ago  

bluenovaman: I'm so happy my applications don't use any of that.  The other teams around mine are all going nuts working through the weekend and nights updating then hearing oops we need a newer version...going through that to get the newer update again.


The vendor on my project ran a scan and found log4j in an application provided by a third part that we use to connect to their system.  We reached out to the project manager, who referred us to their vendor.  The response that came back: "We're still using an older version (1.8.something) that predates the vulnerability".

I'm not sure that's any better...
 
bluenovaman [OhFark]
‘’ 3 minutes ago  

abbarach: bluenovaman: I'm so happy my applications don't use any of that.  The other teams around mine are all going nuts working through the weekend and nights updating then hearing oops we need a newer version...going through that to get the newer update again.

The vendor on my project ran a scan and found log4j in an application provided by a third part that we use to connect to their system.  We reached out to the project manager, who referred us to their vendor.  The response that came back: "We're still using an older version (1.8.something) that predates the vulnerability".

I'm not sure that's any better...


One of the teams I work more directly with has a version so old it's not affected.  We spent a good 5-10 minutes laughing joking about that good fortune and what kind of crap application we keep around that is so old, retiring it next year and that's going to be a pain for me setting up connections to the replacement.
 
Sporkabob
‘’ 1 minute ago  

Somaticasual: So, can any IT farkers comment on whether this is a vulnerability in most WHM/cpanel installations, or is this vulnerability limited to specific applications using the Log4J logging library? (meaning - would someone managing the WHM installation have to install it, or is it loaded by default and thus subject to attack?)


I'm going from memory so forgive me if this info is incorrect, but cPanel/WHM only used Log4j as part of the Dovecot Solr plugin. We always kill mail services on all of our WHM servers so haven't been overly concerned.

Of course it's possible other third party plugins could use it.
 
