Hear Ye! Hear Ye! Patch Ye Thine Apache; For Log4j Safety

Source: The Register Hear Ye! Hear Ye! Patch Ye Thine Apache; For Log4j Safety

Log4j Version 2.16 Disables The Java Naming and Directory Interface By Default

Rejoice for there is now a way to make your systems somewhat less vulnerable to the Log4Shell vulnerability in the form of a new patch from Apache.  The previous 2.15 patch disabled the JNDI message lookups that are the heart of this vulnerability but it did not completely disable JNDI completely and so some software could well be exposed.  The new 2.16 patch disables it completely, thus completely removing the key though not the lock as JNDI still remains susceptible to this hack if ever enabled again.

If you are curious why a bug in Steam and Minecraft has become the biggest news in computer security, you have to realize just how much software depends on JNDI for logging.  A quick peek at the Wikipedia page gives you an idea of how many ports have been created and are in active use.  If you are running C programs, Ruby, javascript or PHP then there is a very good chance your software uses Log4j and is therefore vulnerable to Log4Shell.

As it stands there is a way to disable the vulnerable part, which can also have negative effects on how your software runs, there is no patch yet which allows you to use JNDI message lookups safely.  The widespread use means that there will likely be programs that are vulnerable for years to come, as the developers suddenly realize that one of their programs actually does use Log4j in a small, often unused component.

Crucially, this move is defense in depth: Apache conceded JNDI "has significant security issues," so it's just deactivated it by default with a fresh release. Version 2.15 was most probably enough to protect you from attack, version 2.16 makes it certain.

Video News

About The Author

Jeremy Hellstrom

Call it K7M.com, AMDMB.com, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!