[Info-vax] Issues now found in log4j version 1
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Tue Feb 8 13:28:27 EST 2022
On 2022-02-08, Arne Vajhøj <arne at vajhoej.dk> wrote:
> On 2/8/2022 8:57 AM, Simon Clubley wrote:
>> On 2022-02-07, Arne Vajhøj <arne at vajhoej.dk> wrote:
>>> There are plenty of other logging frameworks out there.
>>>
>>> Java: jul, logback etc.
>>> .NET: log4net, NLog etc.
>>> PHP: log4php, Monolog etc.
>>> Etc.
>>
>> In addition to those, there are also the public facing loggers that
>> exist within an operating system itself.
>
> You mean Windows event log, *nix syslog, VMS various (operator log,
> audit log etc.)?
>
Yes. Those do processing of untrusted data and could be nice targets
for probing, especially those that can be reached via a network port.
If previous security events are anything to go by, there's now going
to be a good number of people looking at logging in general now that
researchers have had a high-profile success with log4j.
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
More information about the Info-vax
mailing list