Wahnsinn. #opensource #linux #log4j #itsec #exploits
"I am no hero" Unfassbar gut, lieber @br_data ! #br #bayerischerrundfunk

Linkempfehlung ARD Audiothek

https://www.ardaudiothek.de/episode/wild-wild-web-geschichten-aus-dem-internet/das-wichtigste-hobby-der-welt/br/14442077/

It feels good when something is finished, and I just finished the article for the new Javapro magazine. It's about the history of #Log4j. Proud of it. Needed a lot of chocolate. Not from #Java though, but #Japan :)

Introduction to Apache #Log4j #Kotlin

https://www.baeldung.com/kotlin/apache-log4j-introduction

Spent the past year working with @pkarwasz on #Log4j. What started as patches turned into deep dives into #SBOM, VEX, and securing supply chains.

In 2025, we’re building a small #Maven-based tool to help #Java devs write more secure software. No big funding—just two folks in the trenches trying to get it right.

Let’s talk if your company’s digging into SBOM or #OpenSource #security. We’re happy to share insights or lend a hand!

You can call yourself a senior programmer when you have at least one in your
life, told yourself: "I should have logged this."

Some memories of my trip to #japan...
https://grobmeier.solutions/en/japan-2024.html
#java #opensource #log4j

Today, 3 years ago, the (in)famous #Log4Shell vulnerability was made public.

This was an arbitrary code execution in the popular #Java logging framework #Log4j, the issue was there since 2013. This vulnerability received a CVSS severity rating of 10, the highest possible.

Hope you all updated your billions of devices running Java out there already!

Excited and honored to speak at the #Japan #Java User Group this November! I’ll dive into the story behind #Log4j and #Log4shell, explore the impacts on the open-source ecosystem, and discuss lessons learned since. Looking forward! #OpenSource #JUG
https://www.java-users.jp/post/night202411/

I'm getting my hands dirty with #RevealJS for a talk about #Java, #OpenSource, and #Log4j in Tokyo. This time, I will only travel light with my @tuxedocomputers #Linux laptop, so I started creating my presentations in an open format (as I should have done before). #javascript

How to make #opensource #software more secure
The #xz attack, which followed other well-known cybersecurity incidents involving open source software like #Heartbleed, #Shellshock, and #Log4j, was another stark reminder that open source software, given how widespread it is, can pose significant #security risks.  
https://techcrunch.com/2024/11/01/how-to-make-open-source-software-more-secure/ #itsec

#Sonatype released its new report saying that 13% of #Log4j downloads are still vulnerable. It does not mean you are a target, but you should double-check and update when possible.

#java #security #supplychain
https://www.sonatype.com/en/press-releases/sonatypes-10th-annual-state-of-the-software-supply-chain-report

3 years after #Log4shell, Bloomberg wrote "Hackers are still targeting #Log4j". The article is not mindblowing, but it reminds us to update! https://www.bloomberg.com/news/newsletters/2024-10-09/hackers-still-target-outdated-software-flaw-despite-available-fixes?srnd=undefined

In November, I will be in #Kyushu (#Hakata), #Osaka, and #Kyoto. I hope to meet #Java and #OpenSource people there. I am also willing to have a talk in a user group about #Log4j or similar topics. If you want to meet or know a place where I can get in touch with people, please let me know. #Japan

We welcome Jan Friedrich to join the #TheASF Logging Services team as a PMC member. We are happy to have you, Jan!

https://logging.apache.org/blog/2024/08/08/welcome-to-the-pmc-jan.html

@Sofie_unlabeled ich fand’s heute allgemein lustig, wie oft ich gelesen hab „mit Linux wäre das nicht passiert“.
1. #Crowdstrike gibts auch für Linux. Vermutlich hätte der Bug nicht zum selben Fehlverhalten des OS geführt, oder eben doch?
2. Es gibt und gab in der letzten Zeit so viele gravierende Fehler im #Linux-Umfeld, dass der Satz „mit Linux wäre das nicht passiert“ inzwischen einfach nur noch Quatsch ist, siehe kürzlich #xzutils und vor erst Längerem #log4j

Wait, didn't we fix this?

https://securityaffairs.com/163984/hacking/critical-apache-log4j2-flaw-still-threatens-global-finance.html

Nächste Woche bin ich bei der #Linux Usergroup in Augsburg zu Gast. Ich freue mich schon sehr!

Thema: "Mehr arbeiten, aber dafür umsonst. Wie geht das?" ;-)

Wer nicht weiß wie kostenfrei arbeiten geht, oder mehr über #OpenSource, #Log4j oder das #Log4shell aftermath wissen will - willkommen.

Danke für die Einladung, @lug_augsburg

https://www.luga.de/static/LIT-2024/talks/lasst_uns_kostenlos_arbeiten/

So I had a weird issue where I updated my Java Virtual Machine (#semeru for the #openj9) where the #davmail service in Windows suddenly worked on the work machine, but the standalone only works from the jar. After a time trying to track down that, it started an investigation into the DavMail ini file that I have to get it to work on the personal machine.

After a bit of time I noticed that there are newer libraries in the default install. So the thought of "hey, I wonder if you can upgrade the libraries to something more modern," came up. Turns out you can, and in fact the #log4j libraries to the second/reload version. So for the ones that upgraded...
commons-codec-1.16.1.jar
commons-collections-3.2.2.jar
commons-logging-1.3.1.jar
htmlcleaner-2.29.jar
httpclient-4.5.14.jar
httpcore-4.4.16.jar
jackrabbit-webdav-3.0.1.jar
jcharset-2.1.jar
jcifs-2.1.37.jar
jdom-2.0.2.jar
jettison-1.5.4.jar
log4j-core-2.23.1.jar
slf4j-api-2.0.12.jar
slf4j-reload4j-2.0.12.jar (replacing slf4j-log4j12-1.7.25.jar)
stax-api-1.0.1.jar
stax2-api.4.2.2.jar
winrun4j-0.4.5.jar
woodstox-core-6.6.2.jar
Does this change anything? Probably not. Does it work? Well yes, on my personal machine, the work one still is a mystery. Do I know what I am doing? No.

Been looking at the #xz backdoor a little more closely and wanted to reiterate what a massive MVP @AndresFreundTec is. The long game that was played here, over months, a PR in clang to hide a warming, sockpuppets and all that, the massive complexity of the backdoor, everything about this vuln is wild, and it would have gone completely undetected had he not profiled sshd to understand why it was using a little too much CPU on failed login attempts. This is truly incredible.

Of course it should teach us all a lesson on open source and maintainer burnout and the amount of trust we put in obscure libraries, but hey, we didn't really change anything collectively after #log4j even though the story is awfully similar on some levels.