‘Twas the week before Christmas, and all through the world,
Many developers were stirring, as a nightmare unfurled.
The log4j library, a simple tool just for logging,
Could suddenly be used to give your servers a flogging
This wasn’t like the movies, where super machines were needed,
and the hackers wore hoodies, and warnings had gone unheeded.
Just send the logger a message, and as quickly as that,
Your security was bypassed, and your applications ker-splat.
How did we find out? Often such hacks are invisible?
What crucial IT services suddenly became so risible?
Was it the stock exchange? Or healthcare ? No dont be so daft
It was OH MY GOD there’s a risk to Minecraft!
From the open source community, there arose such a clatter,
of CVEs and advisories about this most serious matter.
Linux and Windows, no one is spared from being smashed,
As hundreds of thousands of apps were so easily crashed.
Patch Tuesday became Wednesday, Thursday and Friday as well,
As IT departments all clamoured to fix the JNDI hell.
“Why the hell is there LDAP in a logging class?” asked some.
Because backward compatibility is the IT world’s scum.
Once a feature is there, it is in there forever,
For better or worse, it becomes permanently tethered.
It doesn’t matter that as time changes, it might no longer fit,
Because if you remove what was once there, people all lose their shit.
Version 2.15 was released to fix up the hole,
But the thread context map still was open to control.
Thus 2.16, 2.17 came one after the other.
Is anyone else feeling “Christ, why do I bother?”
You know the drill by now, keep downloading and patching,
Your 5000 servers to keep the backdoors from hatching.
Its ironic the patches we apply with nerver ending coercion,
Are to stop the risk of a DOS infinite recursion.
So in a year, where things could not possibly get worse,
log4j came along, and made our security a curse.
Maybe next year, there will be a change in our luck,
Because if its gets any worse, then we’re all gonna be f**ked