The fix for it is fairly trivial, the issue is getting the fix into all the IOTs and routers etc that aren't updated much. And there's a lot of kit out there that manufacturers aren't doing security updates for anymore. That internet TV from 2015 that no longer talks to the manufacturer, but still does streaming and electronic program dl?
Mike On Thu, 16 Dec 2021, 17:30 Greg Keogh, <gfke...@gmail.com> wrote: > It's almost Friday ... > > Many of you might have read the blazing headlines everywhere that the > whole Internet is about to crash because of a security vulnerability in > log4j. I haven't written Java since early 2001, so I went looking for tech > details. > > It turns out someone wrote an appender (in our log4net terms) that parsed > a Uri out of a special bit of syntax, then blindly loaded and ran what was > at the Uri. I mean, what could possibly go wrong? I think that this guilty > JNDI appender is available by default, that is, it's in the JAR or > something like that (I can't get further fine details on that). > > So it's a bit like *Aircrash Investigations* where it takes multiple > things to go wrong and make a bigger wrong. > > Who could have imagined that a logging library would bring the Internet > down?! > > *Greg* >
