Hear Ye! Hear Ye! Patch Ye Thine Apache; For Log4j Safety
Log4j Version 2.16 Disables The Java Naming and Directory Interface By Default
Rejoice for there is now a way to make your systems somewhat less vulnerable to the Log4Shell vulnerability in the form of a new patch from Apache. The previous 2.15 patch disabled the JNDI message lookups that are the heart of this vulnerability but it did not completely disable JNDI completely and so some software could well be exposed. The new 2.16 patch disables it completely, thus completely removing the key though not the lock as JNDI still remains susceptible to this hack if ever enabled again.
As it stands there is a way to disable the vulnerable part, which can also have negative effects on how your software runs, there is no patch yet which allows you to use JNDI message lookups safely. The widespread use means that there will likely be programs that are vulnerable for years to come, as the developers suddenly realize that one of their programs actually does use Log4j in a small, often unused component.
Crucially, this move is defense in depth: Apache conceded JNDI "has significant security issues," so it's just deactivated it by default with a fresh release. Version 2.15 was most probably enough to protect you from attack, version 2.16 makes it certain.
More Tech News From Around The Web
- Google Is Building a New AR Device and OS @ Slashdot
- Microsoft To Make Windows Terminal the Default Windows 11 Command Line Experience @ Slashdot
- Popular password manager LastPass to be spun out from LogMeIn @ The Register
- The Ars Technica 2021 holiday gift guide: Procrastinator’s edition
- Don’t make an iOS of yourself – Apple’s patched its OSes, you know the drill @ The Register
- Dude this should NOT be in a Dell Switch… or HPE Supercomputer @ ServeTheHome