Study shows 38% of Java apps still affected by Log4j vulnerability log4shell (opens in new tab)

(theregister.com)

38 pointsakoster2y ago8 comments

8 comments

This does not surprise me. Updating software takes time, effort, and is risky. It's also not fun. The result is a lot of people ignore it even though it means their software can be easily hacked. Note I think people should keep their dependences update to date. Unfortunately, I also know human nature and that means I know many won't.

You see a similar problem with obsolete computers, operating systems, phones, routers, etc. People keep them connected to the Internet even though they have known vulnerabilities. People who do this will even claim they have not been hacked.

pjmlp2y ago

This will only change when liability becomes a regular thing in computing, like in every other industry out there, instead of only high integrity computing.

Thankfully the wheels are already set in motion.

Buttons8402y ago

Hopefully we don't go down the "liability for open-source code, not for businesses" road.

We'll have to allow open-source code to waive liability, but not allow companies to waive liability; that's tricky and will go against the interest of the rich and powerful, so it will be especially hard to navigate.

I_Am_Nous2y ago

Apathy is definitely the issue. Sometimes you tell a vendor about an issue and they say their app doesn't use Log4J even though it's gobbling up the Log4J test script in the username field...they don't want to care, so you can't make them.

bzzzt2y ago

Maybe they only use the log4j test script ;)

Or maybe someone had to run some scanning tool which reported 'no vulnerabilities'.

Exploiting log4j requires logging to be influenced by user input. Even if an application includes a vulnerable log4j but doesn't bother to log anything there's zero risk. In that case apathy saved you ;)

ddol2y ago

Knowing that a vendor you selected is mishandling your users data and doesn’t care to secure their systems is unacceptable.

Time to find a new vendor, as your continued usage of their unsecured services is now a liability.

bzzzt2y ago

Welcome in the world of enterprise software where you don't get to choose what software you use and your company doesn't care.

I_Am_Nous2y ago

Luckily they aren't our vendor. But I agree completely.

j / k navigate · click thread line to collapse

8 comments

StressedDev2y ago

pjmlp2y ago

This will only change when liability becomes a regular thing in computing, like in every other industry out there, instead of only high integrity computing.

Thankfully the wheels are already set in motion.

Buttons8402y ago

Hopefully we don't go down the "liability for open-source code, not for businesses" road.

I_Am_Nous2y ago

bzzzt2y ago

Maybe they only use the log4j test script ;)

Or maybe someone had to run some scanning tool which reported 'no vulnerabilities'.

ddol2y ago

Knowing that a vendor you selected is mishandling your users data and doesn’t care to secure their systems is unacceptable.

Time to find a new vendor, as your continued usage of their unsecured services is now a liability.

bzzzt2y ago

Welcome in the world of enterprise software where you don't get to choose what software you use and your company doesn't care.

I_Am_Nous2y ago

Luckily they aren't our vendor. But I agree completely.

j / k navigate · click thread line to collapse