Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Me: *busy doing dev stuff with my laptop*
Sis: *looks at my to-do stickies* Hey, what's Log4j?
Me: *without looking away from my screen* it's a library.
Sis: oh, cool! Where is it? Do you have a membership?
Me: Ha-Ha. This is going on devRant.2 -
Darn it, I was having such a good day. Just sitting over here in sysadmin land watching the Java devs tear their hair out over the Log4j vulnerability, when someone just had to ask me about the Jenkins servers my team maintains.
Jenkins doesn't use Log4j! What a relief!
Jenkins does, however, have third-party plugins, some of which use Log4j. And thus my relief was short-lived and now I'm also tearing out my hair trying to patch this shit.17 -
That log4j RCE is some fucking nasty business!!! Its exploits have already been observed multiple times in our company scope.
Time for some unplanned Saturday evening hot-patches :/
P.S. Why the fuck leave such a feature enabled as default??? I mean really, whose brilliant idea was "let's leave the message parser enabled as well as the LDAP query hooks... BY FUCKING DEFAULT!!!"
I mean really, is anyone using that? ANYONE?
And then they laugh at me when I say "stay away from frameworks", "use as little libraries as possible", "avoid foreign code in your codebase",...
you know what.... JOKE'S ON YOU!10 -
So it turns out that one of our systems is so fucking old that its Log4j is off the hook. What they say of blessings being disguised as curses is real.2
-
Wondering how many old smart TVs have log4j on them and are running web servers that log local requests...8
-
It was in old days when I was working in java and windows systems.
Java and different log4j versions across dependencies caused system not working only on production server.
Turned out some of libraries got log4j embedded and conflicted with other log4j.
It worked in all computers except production one.
Actually that was my main reason to switch my career to python after that dependency hell.
Another one was windows server 2008 tcp connection limit set to 200 or something.
We needed to change registry to get our servers working. After this case we finally managed to convince people to switch to linux.
Anyway any non standard error when you got multiple layers communicate with each other is hard, practice make it easier to solve those problems as your success moment comes faster.4 -
I dont understand the Log4j vulnerability.
Isnt the ability to execute code a feature they added so that you can add dynamic data to the logs?
If it is a feature then isnt it written in the documentation?
Is the problem that a lot of companies forgot to sanitize the input before logging it?23 -
Group assignment: writing a own Java logger component in a group of four, using nothing else than Java SE libraries, Maven and Jenkins. The software must be able to substitute the logger component without recompilation, just by editing the config.xml (setting jar file path and fully qualified class name of the logger).
I asked around on Slack which group is ready for a component exchange, so that we could test the switch. I found another group and I started doing some testing.
Then I got a `java.lang.NoClassDefFoundError: org/apache/log4j/Logger`. I got in touch with my peer from the other group and asked him, if they've been using log4j. Apparently they did, so I told him that the assignment was to write a logger of one's own, not just using log4j. Then he told me: "Uh, ok, I'm going to tell the guy responsible for the logger part about that..."
X-D -
Having this trend we should plan for log4j 2.18 release 'round Wednesday-Thursday.
By the EOY we're likely to reach 2.22. That's a nice version number to meet 2022 with :)
v2.0222 -
Log4j. My boss asked me to add it to a project. Had an issue with logging, went to docs. why do I need to read a whole fucking textbook to log messages to a file?3
-
https://github.com/PwnFunction/...
Who led this flattening user input object into the Next.js codebase, also thinking that `runContext` is going to make better companion than `eval`?
Yet another reason to switch over Sapper and other Svelte minimalistic solutions, in my opinion.
1 -
Can someone explain to me Java lighting...
There log4j, slf4j, logback. Some are interfaces, others are implementations.
What is the setup so I can basically wit one and forget, or upgrade with the jar amount of code changes?
I need to upgrade log4j 1 to 2 and they changed the package name and how to init it....
Now it's logging.log4j.
And correct me if I'm working, Logger logger = LogMagager.getLogger(Clazz.class)
Does the log4j.properties need changing as well?18 -
rant & question
What am I supposed to do to finally get log4j working?? It just doesn't want to log in my project. Or it simply hates me. However many tutorials and documentation I've followed, even copy pasting simplest examples with ConsoleAppendet, setting the xml config to classpath.
It starts with default fallback logging.
How do all the tutorials automagically work??1 -
So let's break this down: it's now 2017, the world of development is overflowing with flexible systems written in dynamic coding languages running on powerful hardware. A great deal of which is available to use for free.
This morning I FINALLY got one member of our "R&D" team at work to implement a proper logging system in one of our numerous Java apps... So she adds "log4j-1.2-api.jar" to her project.
*facepalm*
I'm still (3 years down the line) trying to convince them to let me rewrite their build scripts to integrate some sort of dependency management system, since they still use the default generated build for Ant as provided by Netbeans.
There is one bright side though: we're so-fucking-close to being able to ditch MS VSS!
*queue slow clap*
At this rate, how long do you think it will be before we can finally get away from using JDK 1.6 for everything?3 -
Can't find official documentation or examples... Wtf...
In Log4j configs appender.filepattern, what are the % parameters that can be used. And is there one for UUID or process ID.
I have multiple instances of an app running with difference parameters, but they can't all write to the same file.
Top Tags
Weekly Rant
View