Home Java Log4j Issue And The Nightmare of Java Developers

Log4j Issue And The Nightmare of Java Developers

Published: Last Updated on 0 comment 2.4k views

Planning to party Friday Night. Everything was ready. Waiting for your friend’s call to pick you up. The phone rings, and without seeing you pick up the call in excitement, “Hey Bro, Kaha tak pohcha” (Where have you reached so far). “Sorry?”, the person replied, “I am MR XYZ from your company ABCD Tech. We have raised an Incident Ticket of Log4J Issue for a major Log4j Security Vulnerability in Java applications”.

The excitement vaporized in the thin air instantly. After the call, I a big sigh. Went back to the table, opened the laptop, discussing solutions with other sad faces.

The story is dramatic, but this was most of us Java Developers on the 2nd weekend of December 2021. Log4J is such a common library in Java projects that the affected applications count for millions (and people say Java’s dead 🤷‍♂️).

After updating the library, we got another bad news. The last update is still vulnerable. So we needed to update it again.

So let us see what actually happened since then and where are we now. What is this issue all about, how it is affecting us developers, and what’s the latest fix for this?

Before diving into the details, I just want to say a Big Thank You to Security Experts for discovering this Log4J issue and Apache Foundation for fixing the issue in the library.

You can follow me on social media via @coderstea on Twitter, Linkedin, Facebook, or Instagram. We also share high-quality videos about programming on our YouTube channel. You can also publish your post on CodersTea, just share your thought on Contact Us or let us know in the comments.

The Stampede caused by Log4J Issue: CVE-2021-44228

The CVE-2021-44228, AKA Log4Shell, allows attackers to take control over Java application servers via Log4J. The attacker can exploit this Log4J issue with messages passed to it. Following is a short video I found on how one can exploit this Log4J issue very easily. They can do so with the help of an LDAP server and a command passed to it.

Log4j issue (CVE-2021-44228) RCE Vulnerability Explained

The severity of the vulnerability is huge, This simple exploitation can affect the systems from Amazon Web Services to indie developers’ tiny servers. As I said, Log4J is such a common library that almost more than half of these servers are vulnerable or might have been exploited already.

Due to the huge presence of Java on the Server-side, this has caused every organization to update their system ASAP. The non-public or standalone applications are not too vulnerable compare to their server-side companion, but one must update them as attackers can attack from anywhere.

Nightmares for Legacy System’s Developer

The latest project which must have been using Maven or Gradle and following best practices along with CI&CD can fix the patch easily. But this is a nightmare for legacy systems, particularly huge monoliths. These systems are so huge that updating them requires so much work. Now whoever is working on this might not be sleeping peacefully. I know I may be exaggerating but one of the projects I worked on previously was only 4-5 years old, but updating something on it was a total nightmare. Now I can’t imagine projects older than 10-12 years.

Do let me know in the comment how was your day/night solving this issue.

Finally Fixed, But Wait there is More Log4J Issue

After the patch for the Log4J issue was fixed on Log4j version 2.15, there was still some part of the original vulnerability left. It was CVE-2021-45046. Apache worked on it and released another patch in version 2.16. Cool, now it seemed to be settled. The second time was not that bad, because you now already know how to update from the last fix.

But boom there is another update needed for CVE-2021-45105. Apache promptly jump to the rescue and released the latest patch (as of now) 2.17. But I hope it’s the last one. As we need some break time at Christmas, especially Apache guys.

The TimeLine for Log4j Issue

Following is the timeline for the Log4j Issue. When the Log4J issue or Log4J security vulnerability was detected when was the fix for it was released?

DateWhat HappenedFixed In Version
24 Nov 2021Security researcher Chen Zhaojun of Alibaba reported the vulnerability of the Apache foundation2.15
6 Dec 2021Apache Released a fix for CVE-2021-442282.15
9 Dec 2021Discovered Attacks on Minecraft’s servers since 1 Dec2.15
13 Dec 2021Apache released a fix for CVE-2021-450462.16
17 Dec 2021 Apache released a fix for CVE-2021-451052.17 (latest)
Log4j Issue Timeline

The information I collected above is from various sources, the major one is https://www.dynatrace.com/news/blog/what-is-log4shell/.

Conclusion for Log4J issue

Yes, it was a rollercoaster ride at the end of the year. You, me, and everyone else let us just hope there is no more vulnerability. Let us enjoy Christmas and New Year with happiness. On that note, as I am writing this on Christmas Eve, Merry Christmas to you all, and wish you a Happy New year.

See you in the next post. HAKUNA MATATA!!!

You can follow me on social media via @coderstea on Twitter, Linkedin, Facebook, or Instagram. We also share high-quality videos about programming on our YouTube channel. You can also publish your post on CodersTea, just share your thought on Contact Us or let us know in the comments.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

@2022 All Right Reserved. Designed and Developed by CodersTea

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More