Profile Picturejavinpaul

Log4j2 Chaos and How to deal with it

Hello folks,

There has been a lot of chaos going on ever since the zero-day vulnerability was found on Log4j2, a popular Java logging library.

If you are wondering whether this can affect you or not then you are not alone.

This is similar ot SQL injection where hackers tried to run malicious code on your server and it was possible because your app is executing any external data without sanitizing it and this is what happening with Log4j2.

Log4j allows you to use placeholders that can be resolved at runtime and they have a magical feature where it can be resolved from a remote server.

This means if you have a code like this

  // this is bad now
    log.debug("user-agent={}", userAgent);

    // this was bad before
    log.debug("user-agent=" + userAgent);

Then a hacker can run  his code on your server by providing a malicious value in userAgent header. 

Given that many libraries use Log4j the impact is wide spread but not all Log4j version are impacted. 
Only version 2.0 <= Apache log4j <= 2.14.1 are impacted.

This means you can solve this issue by upgrading to Log4j 2.15 but I know that's not trivial, 
hence there are a few short term soluions which I have suggested here

Read the full article -

0 comments

Current user avatar

🎁 Top 5 Dev Deals for You This Week

🔔 30% Discount on My New Book 250+ Spring Framework Practice Questions

🎁 Best Coursera Certifications in 2022 [with $100 OFF on Coursera Plus]

🔔 [Last Reminder] 50% Discount on My New Book Ends in 4 hours

🔔 [24 Hours Left] 50% Discount on My New Book - 250+ Spring Framework Practice Questions

See all posts from javinpaul

Powered by