Re: Remote code execution exploit found in Log4j ..... Sidebar

I have read through that fastly blog twice.

TO ME (NOTtheJavaProgrammer) it would seem that some pretty bad assumptions must have been made by those writing code such as this. Bad is in 'just do what you are asked, don't question.'

Now it would SEEM like the code should have some logic like this:

Check 'requested action' against 'Valid Actions' and execute only if true. If false then 'don't do that.'

In my 'non-java' mindset it seems that coding to 'allow anything' is just a train wreck looking for a time and a place.

It reminds me of the battle between TinyDNS (a.k.a. DJBDNS) and BIND. BIND has been hacked a million times and appears with some frequency in CVEs. DJBDNS however was written to not be hackable and the author posted an award for someone who hacked it. It took many years before the award was claimed and even then on a technicality not truly an exploit. The Author specifically used this application to show how to code for both performance AND security, with security being the most important.

It would seem to me that security needs to be 'higher up' on the thinking of those writing code these days.

- DrF


On 12/14/2021 1:50 PM, Jack Woehr via MIDRANGE-L wrote:

On Tue, Dec 14, 2021 at 11:40 AM Brad Stone <bvstone@xxxxxxxxx> wrote:

Anyone care to share a real world example of how this would hurt someone on
the IBM i? From what I understand it requires a lot of variables... one
being that the attacker needs to be able to inject commands into the
logger.

https://www.fastly.com/blog/digging-deeper-into-log4shell-0day-rce-exploit-found-in-log4j