TL; DR: One of the most popular Java logging library allows code execution, potentially by unauthenticated users.
Should we worry, as /e/ users? Basically, does a fresh install includes apps that rely on a non-patched version of log4j-core? Are there popular and often-installed apps that do? If so, what can we do (while waiting for updates, hopefully) to protect ourselves?
(PS: Could not find topics or tags focused on security. Feel free to move that post if need be.)
Checked with the team on this. We do not use any java server apps. The team is rechecking just to make sure. Will update if there is any change in the status.
Thanks for the fast and reassuring answer!
Not sure these have to be servers, though. I think that (random example incoming!) logging incoming SMSs would be a risk. As long as you don’t have full control over what’s being logged, while someone else can provide the string they want…
From our experience at work a lot of systems use old and unsupported log4j version 1.2.17, which is not vulnerable to this particular attack - but has an old known vulnerability to a different, lesser attack. So if /e/ does use log4j v1 it should* be ok. *I’m not a security expert, just stuff Ive been reading online.
Interesting list of “vuln / not vuln” info on many pieces of software; dunno if it can come in handy:
(Personally used it to check that my IDE was safe.)
Edit: I can’t post links to GitHub, apparently xD So I’ll give a path-ish thingy instead:
github dot com slash NCSC-NL → log4shell → software/README.md