nanog mailing list archives
Re: Log4j mitigation
From: Jared Mauch <jared () puck nether net>
Date: Mon, 13 Dec 2021 14:32:19 -0500
On Dec 13, 2021, at 2:24 PM, Owen DeLong <owen () delong com> wrote: The bigger problem seems to be the ever growing list of products you may be using which depend on it potentially without your knowledge.
This isn’t a new problem. This is an great modern example showing how deeply embedded things could be, and they get worse with each of these nesting technologies as well, it may be embedded in a docker or VM image, or the class could be in some other JAR or zip you are not aware of, or could come back with an overlapping class definition based on the order things get loaded. The same was always true with shared libraries and too-generic function names. It’s such a blast from the past as I had felt we had moved past many of these interpreted environment or parser things by properly encoding strings with a function. I’m really amazed at how widespread this is and what enterprise applications have had to get patched due to them embedding this software. - jared
Current thread:
- Log4j mitigation Andy Ringsmuth (Dec 10)
- Re: Log4j mitigation Jared Mauch (Dec 11)
- Re: Log4j mitigation Owen DeLong via NANOG (Dec 13)
- Re: Log4j mitigation Jared Mauch (Dec 13)
- Re: Log4j mitigation Carsten Bormann (Dec 13)
- Re: Log4j mitigation Alain Hebert (Dec 13)
- RE: Log4j mitigation Jean St-Laurent via NANOG (Dec 13)
- Re: Log4j mitigation Owen DeLong via NANOG (Dec 13)
- Re: Log4j mitigation Jared Mauch (Dec 11)
- RE: Log4j mitigation Jean St-Laurent via NANOG (Dec 13)
- Re: Log4j mitigation Jörg Kost (Dec 13)
- RE: Log4j mitigation Jean St-Laurent via NANOG (Dec 13)
- Re: Log4j mitigation Jörg Kost (Dec 13)
- Re: Log4j mitigation Saku Ytti (Dec 13)
- RE: Log4j mitigation Jean St-Laurent via NANOG (Dec 13)