Are people still looking at Log4j code, or has everyone moved on from it?
Sort By:
Oldest
VP, Director of Cyber Incident Response in Finance (non-banking)2 years ago
I'm surprised that the roar over Log4j has dulled and gone quiet. I expected it to go on much longer than it did, and thought I would have seen a lot of security bug folks looking at the code even closer and finding a lot more issues than what’s been published. It’s almost like an afterthought now.Founder/Chairman/CTO in Telecommunication2 years ago
People looking at the Log4j code itself are operating on the idea that if there are dragons, then there'll be dragons. It’s probable there is more to find down there. We've also seen a phenomena I refer to as research clustering, which is unvalidated JNDI or misdirection within a Java app. That's probably in other places as well, not just Log4j. I think there was a disclosure in Jfrog and there are a couple others that have come out since. In general, the panic around Log4j subsided quickly, perhaps because everyone was just tired. That's something that I've heard a lot. CISOs and even vendors were saying, "We really needed the holiday this year. Then this bug came up and just took us all out." That forced risk-based thinking around response in a way that might not always happen.
SVP in Finance (non-banking)2 years ago
There are people who have successfully exploited Log4j, but we haven’t seen any headlines related to it outside of the fact that there was a vulnerability. That could be why it's been a bit forgotten, because we haven't had news stories around it from an incident perspective. But bad actors who exploited Log4j could be in your environment right now, patiently waiting. It’s a hard situation to figure out at the moment. With Log4j, all you can do is start with your perimeter, do everything you can and then work your way through patching the apps, because it will be ongoing for years to come.