I’ve heard people mention curl and imagemagick. Any others that you know about?

    • axtualdave@lemmy.world
      link
      fedilink
      English
      arrow-up
      33
      ·
      2 years ago

      The neat thing about the log4j thing was even a cursory explanation of the vulnerability made anyone with a passing familiarity with security say, “Why the fuck would that even be a feature?!”

      • boonhet@lemm.ee
        link
        fedilink
        English
        arrow-up
        22
        ·
        2 years ago

        As a non-java company developer at the time, I think our biggest challenge was explaining to everyone that Log4j didn’t affect us. It took a non-zero amount of effort because a lot of customers panicked. To be fair, it was also an industry where confidentiality is important.

        • JackbyDev
          link
          fedilink
          English
          arrow-up
          7
          ·
          2 years ago

          Also a lot of people were pulling it transitively.

      • BinaryEnthusiast@beehaw.org
        link
        fedilink
        English
        arrow-up
        6
        ·
        2 years ago

        Oh man. I missed it by like a month. I graduated with my bachelors in December, and started in January. I was hearing horror stories from my new coworkers about how people had to cancel vacations to get stuff patched asap

      • argv_minus_one@beehaw.org
        link
        fedilink
        English
        arrow-up
        5
        ·
        2 years ago

        It was if none of your code used log4j. I remember being very grateful that I had chosen java.util.logging and Logback for my Java logging needs.

        • OneDimensionPrinter@lemm.ee
          link
          fedilink
          English
          arrow-up
          3
          ·
          2 years ago

          Lol, yeah for us we didn’t own any of the code that used it but depended on server software made internally that did. At the time we managed our own hosts, so it was a long week of deployments.

    • elrac@kbin.social
      link
      fedilink
      arrow-up
      6
      ·
      2 years ago

      That one was so annoying because you had to be using the log server to have any issues. If your network was locked down, the log server was disabled, or if you happened to be using a version that was from before the log server was added, then there were no issues. But clients just heard “log4j” and thought it was unsafe.

    • Haus@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      2 years ago

      Couldn’t remember which logging library it was, thanks for mentioning it, it would have low-key bugged me all day.