the logo for log4j

Twas the night before … log4j

Posted by

‘Twas the week before Christmas, and all through the world,
Many developers were stirring, as a nightmare unfurled.
The log4j library, a simple tool just for logging,
Could suddenly be used to give your servers a flogging

This wasn’t like the movies, where super machines were needed,
and the hackers wore hoodies, and warnings had gone unheeded.
Just send the logger a message, and as quickly as that,
Your security was bypassed, and your applications ker-splat.

How did we find out? Often such hacks are invisible?
What crucial IT services suddenly became so risible?
Was it the stock exchange? Or healthcare ? No dont be so daft
It was OH MY GOD there’s a risk to Minecraft!

From the open source community, there arose such a clatter,
of CVEs and advisories about this most serious matter.
Linux and Windows, no one is spared from being smashed,
As hundreds of thousands of apps were so easily crashed.

Patch Tuesday became Wednesday, Thursday and Friday as well,
As IT departments all clamoured to fix the JNDI hell.
“Why the hell is there LDAP in a logging class?” asked some.
Because backward compatibility is the IT world’s scum.

Once a feature is there, it is in there forever,
For better or worse, it becomes permanently tethered.
It doesn’t matter that as time changes, it might no longer fit,
Because if you remove what was once there, people all lose their shit.

Version 2.15 was released to fix up the hole,
But the thread context map still was open to control.
Thus 2.16, 2.17 came one after the other.
Is anyone else feeling “Christ, why do I bother?”

You know the drill by now, keep downloading and patching,
Your 5000 servers to keep the backdoors from hatching.
Its ironic the patches we apply with nerver ending coercion,
Are to stop the risk of a DOS infinite recursion.

So in a year, where things could not possibly get worse,
log4j came along, and made our security a curse.
Maybe next year, there will be a change in our luck,
Because if its gets any worse, then we’re all gonna be f**ked

Merry Christmas Smile

One comment

  1. +25 years ago it was more or less 1 language/ 1 operating system mostly, gave time for developers to become proficient.

    Now all this laughable swamp of open source with no one inside enterprises really caring and evaluating risks, they all maker lots of PPTs and even careers as security experts.. but in the end, no one really caring duing thigns on right way.

    I been saying for some years “i would not enjoy to be IT manager” on this swamp times of multi layers open sources..

Got some thoughts? Leave a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.