Log4Shell

Internet

I’m sure all of you have heard about what the press have dubbed Log4Shell, a growing family of vulnerabilities affecting the log4j package. Some of you may even be responsible for patching and auditing affected systems… assuming a nefarious actor hasn’t done the former for you to get a permanent foothold. Fun times!

Much like other high-profile exploits like Heartbleed and Meltdown/Spectre, it didn’t take long for the armchair experts to weigh in with the steamiest of hot takes. I don’t even especially like hot cakes, but I think we’d all benefit from consuming those instead.

What’s the difference between a hot cake, pancake, or pikelet?

These reactions have been as predictable as the silliness resulting from my various hat choices:

  • Java itself is antiquated, pointless, shouldn’t be used, not type safe, etc. One wonders how many of these people still use bash after Shellshock, or OpenSSL after Heartbleed, or a modern CPU after speculative exploits, or…! Heaven forbid when a data sanitisation issue affects a Rust package.

  • More broadly, the developers and maintainers of the affected log4j package were stupid, made elementary mistakes these experts would never be caught making, and could have benefited from their hindsighted wisdom.

I liken these reactions to the critics who point at an artwork and say “eh, I could have painted that”. More to the point, where were they before the details were announced? Funny how that works.

At least this time it didn’t take long for people to recognise another under-appreciated and under-resourced open source team who’s efforts hold up so much infrastructure we depend on. Whether that translates into meaningful action within the industry we’ll have to see. I donate to a bunch of projects and foundations, though I’m sure I could be doing more, too.

Hug a Java developer or sysadmin, I’m sure they need it. Maybe make them a nice pancake.

Author bio and support

Me!

Ruben Schade is a technical writer and IaaS engineer in Sydney, Australia who refers to himself in the third person in bios. Wait, not BIOS… my brain should be EFI by now.

The site is powered by Hugo, FreeBSD, and OpenZFS on OrionVM, everyone’s favourite cloud infrastructure provider.

If you found this post helpful or entertaining, you can shout me a coffee or buy some silly merch. Thanks!