I have read through that fastly blog twice.

TO ME (NOTtheJavaProgrammer) it would seem that some pretty bad assumptions must have been made by those writing code such as this. Bad is in 'just do what you are asked, don't question.'

Now it would SEEM like the code should have some logic like this:

Check 'requested action' against 'Valid Actions' and execute only if true. If false then 'don't do that.'

In my 'non-java' mindset it seems that coding to 'allow anything' is just a train wreck looking for a time and a place.

It reminds me of the battle between TinyDNS (a.k.a. DJBDNS) and BIND. BIND has been hacked a million times and appears with some frequency in CVEs. DJBDNS however was written to not be hackable and the author posted an award for someone who hacked it. It took many years before the award was claimed and even then on a technicality not truly an exploit. The Author specifically used this application to show how to code for both performance AND security, with security being the most important.

It would seem to me that security needs to be 'higher up' on the thinking of those writing code these days.

- DrF


On 12/14/2021 1:50 PM, Jack Woehr via MIDRANGE-L wrote:
On Tue, Dec 14, 2021 at 11:40 AM Brad Stone <bvstone@xxxxxxxxx> wrote:

Anyone care to share a real world example of how this would hurt someone on
the IBM i? From what I understand it requires a lot of variables... one
being that the attacker needs to be able to inject commands into the
logger.


https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.