Darn it, I was having such a good day. Just sitting over here in sysadmin land watching the Java devs tear their hair out over the Log4j vulnerability, when someone just had to ask me about the Jenkins servers my team maintains.

Jenkins doesn't use Log4j! What a relief!

Jenkins does, however, have third-party plugins, some of which use Log4j. And thus my relief was short-lived and now I'm also tearing out my hair trying to patch this shit.

"my app was already hacked so now it has natural immunity"

That log4j RCE is some fucking nasty business!!! Its exploits have already been observed multiple times in our company scope.

Time for some unplanned Saturday evening hot-patches :/

P.S. Why the fuck leave such a feature enabled as default??? I mean really, whose brilliant idea was "let's leave the message parser enabled as well as the LDAP query hooks... BY FUCKING DEFAULT!!!"

I mean really, is anyone using that? ANYONE?

And then they laugh at me when I say "stay away from frameworks", "use as little libraries as possible", "avoid foreign code in your codebase",...

you know what.... JOKE'S ON YOU!

Who's having fun with the Log4J zero-day?

"It's secure because you can't input more than 15 characters"

So it turns out that one of our systems is so fucking old that its Log4j is off the hook. What they say of blessings being disguised as curses is real.

Wondering how many old smart TVs have log4j on them and are running web servers that log local requests...

It was right in our faces all this time ;-;

Log4j is just more justification to never use Java for anything

I dont understand the Log4j vulnerability.

Isnt the ability to execute code a feature they added so that you can add dynamic data to the logs?

If it is a feature then isnt it written in the documentation?

Is the problem that a lot of companies forgot to sanitize the input before logging it?

Having this trend we should plan for log4j 2.18 release 'round Wednesday-Thursday.
By the EOY we're likely to reach 2.22. That's a nice version number to meet 2022 with :)

v2.022

Hey Java devs.. Stop using #log4j, just use System.out.print()

ahhh, another log4j meme

best
log4j

worst
log4j