Info-Apache Log4j Remote Code Execution Vulnerability in thousands of servers

According to recent articles, "hundreds of millions" of internet-connected devices and services are vulnerable to hackers because of a newly discovered security flaw in a widely used piece of computer code used by many servers. The vulnerability is found in log4j, an open-source, java based, Apache logging library used by apps and services across the internet, many which are used by the federal government. It could allow hackers to run malicious code on targeted computer systems for purposes including espionage and ransomware .

According to the experts, generally speaking any consumer device that uses a web server could be running Apache. It is widely used in devices like smart TVs, DVR systems and security cameras. The government and Microsoft are scrambling to identify the many servers involved.

So far, Microsoft has found this vulnerability in its own products, Azure Spring Cloud, Azure Databricks, Azure DevOps and Minecraft. MS patched their Minecraft server, but it still exists in non-Microsoft hosted Minecraft servers. CVE-2021-44228 - Security Update Guide - Microsoft - Apache Log4j Remote Code Execution Vulnerability addresses the MS servers identified so far that require customer action.

All that said, can someone answer 2 questions for me. Java code has caused security problems for years. Why is it still allowed to be used? And why in the world would our government, Microsoft, and Security companies give a heads up to all the hackers out there that the flaw exists in the first place before it is fully mitigated? It’s like saying “Exploit me!” Makes no sense to me.

Well.. Java is popular and many people use it. The question should be why would anyone use it in critical systems since it has a long history of vulnerabilities. Part two.. the hacker(s) knew about this before anyone made an announcement about the issue. Trust me.. hackers are miles ahead of the Gov etc.

One more thought.. the other reason Java is used is because it's a great cross platform language. You can basically code it one time and run it just about anywhere. This makes life easier for developers but in this case I believe the code hasn't been maintained properly hence this issue.

Is java better now in terms of vulnerability? Yes.. but it's far from as good as it should be. IMO.

BunnyJ said:

hackers are miles ahead of the Gov

Click to expand...

They don't have to be traveling very fast to stay ahead of OUR government. Too much talk, not enough action.

glasskuter said:

They don't have to be traveling very fast to stay ahead of OUR government. Too much talk, not enough action.

Click to expand...

Well.. the gov can't test every bit of code for vulnerabilities.

@BunnyJ You're the coder so I lean to your expert wisdom.

glasskuter said:

@BunnyJ You're the coder so I lean to your expert wisdom.

Click to expand...

Well.. I've also played over with the dark side,, they have wicked good cookies..can you blame me? LOL

glasskuter said:

Why is it still allowed to be used?

Click to expand...

Because the Java Virtual Machine allows portable client-server code to be written for many OSes (cross-platform development as @BunnyJ calls it). Microsoft have their own CLR (Common Language Runtime), so why do they not use it instead of Java SE? Turns out that Oracle Java and MS CLR implement the same standard. See next question for details.

glasskuter said:

And why in the world would our government, Microsoft, and Security companies give a heads up to all the hackers out there that the flaw exists in the first place before it is fully mitigated?

Click to expand...

The standard originates in Europe. The ECMA (European Computer Manufacturers Association) wrote the ECMAscript (aka Java Script) standard, which is still being updated regularly.

Security flaws appear everywhere these days, from OSes, Applications, Client-side computing, Microprocessors, to BIOSes and TPM modules!!!

You may wish to view this article, written in 2015, which addresses similar questions about client-side computing, that this thread asks today:

Why Java is a “big deal”
Understanding Java
The brief anatomy of a Java exploit
...
So how do you protect yourself from cyber threats targeting Java?
Source: Why are Java’s Vulnerabilities One of the Biggest Security Holes on Your Computer?

Click to expand...

Hope that helps!!!

iko22 said:

Because the Java Virtual Machine allows portable client-server code to be written for many OSes (cross-platform development as @BunnyJ calls it). Microsoft have their own CLR (Common Language Runtime), so why do they not use it instead of Java SE? Turns out that Oracle Java and MS CLR implement the same standard. See next question for details.


The standard originates in Europe. The ECMA (European Computer Manufacturers Association) wrote the ECMAscript (aka Java Script) standard, which is still being updated regularly.

Security flaws appear everywhere these days, from OSes, Applications, Client-side computing, Microprocessors, to BIOSes and TPM modules!!!

You may wish to view this article, written in 2015, which addresses similar questions about client-side computing, that this thread asks today:


Hope that helps!!!

Click to expand...

JavaScript isn't Java..