#log4shell — Public Fediverse posts

Viele Java-Teams wissen nicht, welche Libraries wirklich produktiv laufen — bis die nächste #Log4Shell auftaucht. #SBOMs schaffen Transparenz über Abhängigkeiten & Risiken.

Sven Ruppert zeigt die Praxis:
https://javapro.io/de/sbom-fuer-java-entwickler-was-bringt-mir-das-im-alltag-wirklich-teil-1/
https://javapro.io/de/sbom-fuer-java-entwickler-was-bringt-mir-das-im-alltag-wirklich-teil-2/

#Maven #Gradle #CycloneDX

You trust your dependencies? That’s the risk. From #Log4Shell to self-replicating worms, attacks don’t hit your code first — they hit your supply chain, often via packages.

@MohammadAliEN explains what to watch: https://javapro.io/2026/04/23/the-whispering-jar-java-security-lessons-hidden-in-a-fantasy-tale/

#AppSec #Java #SupplyChainSecurity

----------------

🤖 Tool: MEDUSA — AI-first Security Scanner

Overview

MEDUSA is presented as an AI-first security scanner with more than 9,600 detection patterns focused on AI/ML applications, LLM agents, RAG pipelines, MCP servers and traditional codebases. The release v2026.5.0 emphasizes AI supply-chain coverage with a new Git scanning capability and repo poisoning detection.

Key technical facts
• Detection surface: 9,600+ AI security patterns targeting agent frameworks, MCP protocols, RAG components and editor/IDE config files.
• CVE coverage: Product claims detection of 133 CVEs, with named detections including Log4Shell, Spring4Shell, XZ Utils backdoor, LangChain RCE, MCP remote code execution and React2Shell.
• New rules: v2026.5.0 adds 45 attack rules for repo poisoning and 11 rules for MCP advanced attacks (schema poisoning, sampling injection, cross-server manipulation, Flowise RCE).
• Repo poisoning specifics: Detection across 28+ AI editor and IDE file types (examples enumerated include Cursor, Cline, Copilot, Claude Code, Gemini CLI, Kiro, Codex CLI, Windsurf, Amazon Q, Roo Code).
• Performance & outputs: Parallel processing for multi-core scanning, smart caching to skip unchanged files, and multiple export formats (JSON, HTML, Markdown, SARIF).

Technical implications (reporting the release)

The release documents a focused effort on AI supply-chain tactics: repo poisoning heuristics, editor-config weaponization, and MCP-targeted attack rules. The product adds path-relative FP filtering to reduce false positives when repo names previously matched heuristics. The Git scanning feature is described as a single-step repo analysis for supply-chain indicators.

Constraints and scope

The documentation frames MEDUSA as cross-platform (Windows/macOS/Linux) with IDE integrations and optional linter enhancements. The release notes list capabilities and detection counts; they do not provide operational deployment commands or step‑by‑step setup details.

🔹 medusa #ai_security #repo_poisoning #log4shell #langchain

🔗 Source: https://github.com/Pantheon-Security/medusa

I never imagined GitHub would ask me to speak about Log4Shell.
But it happened.

GitHub asked me to share the story as I lived it, for the benefit of all maintainers and users of open source. How could I say no?

I hope it helps build a more secure future.

No more Log4Shell.

https://github.blog/open-source/inside-the-breach-that-broke-the-internet-the-untold-story-of-log4shell/

#opensource #log4j #Log4Shell #programming #security #hacking #Github

JUnit 6 broke 50 repos. I’m delighted.

If a dependency bump can shatter your stack, you don't need fewer updates. You need better tests.

I maintain 50+ OSS repos as one human. I don't babysit them. I automated everything, including updates and minor releases. Many repos haven't been touched in 6 years. AS now JUnit 6 rolled in, a chunk failed. Perfect.

Why perfect? Because failure is a signal, not a disaster. Good tests mean breakage never escapes. I've had repos fail on a Java date parser change. Beautiful. I saw it before release, fixed it, moved on. During Log4Shell and Spring4Shell I didn't panic. I just waited for the next update. That's what behaviour tests are for. And no, they are not slow. If your tests crawl, your design does too.

I trust code I write. I do not trust magic. I remove convenience glue that silently rots:

I don't need MultiValueMap when Map<List> is clearer.
I don't need StringUtils.isEmpty when a simple null or empty check is obvious.
I don't need annotations that smuggle in half a framework.

Every extra library is a future liability: CVEs, Licences, Security, Data Privacy, Performance, breaking changes, mental overhead. Use them to start, then delete them to last. Fewer moving parts mean fewer ways to die.

After 6 years my micro systems still boot in micro seconds, still read clean, still behave. CI pipelines aged, sure, but the code stayed boring. Boring is freedom. Quiet, peaceful, done.

If your stack cannot auto-update without heart palpitations, the problem isn't updates. It's architecture.

Principles I ship by

Automate updates and everything else I can. Let tests be the gate, not fear.
Push behaviour tests to the edges. If it's slow, refactor until it isn't.
Prefer primitives and standard libs. Delete decorative wrappers.
Design for micro systems, not micro monoliths. Start fast, stay fast.
Fewer tools, fewer surprises, fewer nights on fire.

Congratulations. The system failed safely. After fix, you may proceed to do literally anything else with your life.

#java #junit #testing #oss #automation #developerexperience #simplicity #minimalism #microservices #security #log4shell #spring4shell #cleanarchitecture

#Log4j could have failed many times. But it survived. Not because of money, but because of people. An honest look behind the scenes — from the first line of code to the project’s greatest crisis.

Read Christian Grobmeier’s new piece: https://javapro.io/2025/06/10/the-long-history-of-log4j/

#Log4Shell @theasf

After #Log4Shell hit, I dreamed of writing a Java Logging book.
Beginner-friendly and full of what I’ve learned as a trainer.

Today, that dream became real.
@ManningPublications just launched my book in their MEAP program, and I’m incredibly proud and grateful.

After all these years at the ASF, it feels like a circle has closed.

Get it 50% off:

https://hubs.la/Q03Jv97D0

#log4j #java #programming #opensource

„Was, wenn wir im Urlaub gewesen wären?“ #Log4Shell traf 2021 Millionen Systeme – ein paar Freiwillige retteten das Netz. Christian Grobmeiers Rückblick auf 30 Jahre #Log4j zeigt, was #OpenSource leisten kann & dessen Grenzen, wenn Firmen nur konsumieren!

https://javapro.io/de/die-lange-geschichte-von-log4j/

Think #Log4Shell was a one-off bug? Think again.. What really caused it? How close was #Log4j to dying — multiple times? And what’s next for one of #Java’s oldest libraries? Christian Grobmeier’s new piece will surprise you.

Dive in: https://javapro.io/2025/06/10/the-long-history-of-log4j/

#JVM #Java @theasf

#Log4j begann als EU-Forschungsprojekt in den 90ern. Heute ist es eins der meistgenutzten #Java-Logging-Frameworks & überlebte #Log4Shell.
Wie ging das?

Christian Grobmeier 👉 Die Geschichte eines Projekts zwischen #OpenSource, Sicherheit & Verantwortung: https://javapro.io/de/die-lange-geschichte-von-log4j/

DHS Disbands Cyber Safety Review Board, Ending One of CISA’s Few Bright Spots – Source: www.securityweek.com https://ciso2ciso.com/dhs-disbands-cyber-safety-review-board-ending-one-of-cisas-few-bright-spots-source-www-securityweek-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #IncidentResponse #securityweekcom #securityweek #SaltTyphoon #Government #log4shell #Microsoft #Lapsus #CISA #CSRB #DHS

DHS Disbands Cyber Safety Review Board, Ending One of CISA’s Few Bright Spots – Source: www.securityweek.com https://ciso2ciso.com/dhs-disbands-cyber-safety-review-board-ending-one-of-cisas-few-bright-spots-source-www-securityweek-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #IncidentResponse #securityweekcom #securityweek #SaltTyphoon #Government #log4shell #Microsoft #Lapsus #CISA #CSRB #DHS

DHS Disbands Cyber Safety Review Board, Ending One of CISA’s Few Bright Spots – Source: www.securityweek.com https://ciso2ciso.com/dhs-disbands-cyber-safety-review-board-ending-one-of-cisas-few-bright-spots-source-www-securityweek-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #IncidentResponse #securityweekcom #securityweek #SaltTyphoon #Government #log4shell #Microsoft #Lapsus #CISA #CSRB #DHS

DHS Disbands Cyber Safety Review Board, Ending One of CISA’s Few Bright Spots – Source: www.securityweek.com https://ciso2ciso.com/dhs-disbands-cyber-safety-review-board-ending-one-of-cisas-few-bright-spots-source-www-securityweek-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #IncidentResponse #securityweekcom #securityweek #SaltTyphoon #Government #log4shell #Microsoft #Lapsus #CISA #CSRB #DHS

DHS Disbands Cyber Safety Review Board, Ending One of CISA’s Few Bright Spots https://www.securityweek.com/dhs-disbands-cyber-safety-review-board-ending-one-of-cisas-few-bright-spots/ #IncidentResponse #SaltTyphoon #Government #Log4Shell #Microsoft #Lapsus$ #CISA #CSRB #DHS

DHS Disbands Cyber Safety Review Board, Ending One of CISA’s Few Bright Spots https://www.securityweek.com/dhs-disbands-cyber-safety-review-board-ending-one-of-cisas-few-bright-spots/ #IncidentResponse #SaltTyphoon #Government #Log4Shell #Microsoft #Lapsus$ #CISA #CSRB #DHS

You're running untrusted code! https://blog.frankel.ch/running-untrusted-code/

#security #securitymanager #JVM #log4shell #fromthearchives

#CVE-2021-44832 (#log4shell): Find vulnerable .jar files by searching for #hashes with #Jacksum 3.4.0

See also https://loefflmann.blogspot.com/2022/06/CVE-2021-44832%20Find%20vulnerable%20.jar%20files%20using%20Jacksum%203.4.0%20or%20later.html

#FOSS #Java #Jacksum #HashGarten #hashfunctions #hashes #log4shell #log4j #cybersecurity #infosecurity #secops

A #Java based #hotpatch for the #Log4Shell #vulnerability (#log4j2CVE)

https://github.com/corretto/hotpatch-for-apache-log4j2