Log4j: Between a Rock and a Hard Place

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Logging Kubernetes Website Apache Docker

InfluxDB
Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • Apache Log4j 2

    Apache Log4j 2 is a versatile, feature-rich, efficient logging API and backend for Java.

    • Minecraft servers were one part of it... Minecraft clients where another.

    If you sent a message to everyone with a client (that logged that message), everyone with a client would at least ping back to the ldap server.

    The issue where this was introduced was: https://issues.apache.org/jira/browse/LOG4J2-313

    That's from 2013. On the other hand, nothing with it really happened until someone asked if it was a security vulnerability - https://github.com/apache/logging-log4j2/pull/608#issuecomme...

    And then all hell broke loose.

    Simply said, this was a feature that was intended to make it easier for one company to use their structure with ldap lookups for where/how to log. The author of the change did what many people encourage others to do when working with open source "here's some code that I wrote, I'm contributing it back upstream."

    If this was part of something "bigger", it sat quiet for the better part of a decade.

  • adoptium.net

    Discontinued Development of the website has moved to https://github.com/adoptium/website-v2

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • ThreatMapper

    Open source cloud native security observability platform. Linux, K8s, AWS Fargate and more.

    • How we visualized and fixed runtime exposure due to vulnerable Elasticsearch, using ThreatMapper

    https://deepfence.io/cve-2021-44228-log4j2-exploitability-an...

    https://github.com/deepfence/ThreatMapper

  • rg32hash

    Open source RadioGatún[32] implementations in C, C++, Python, PHP, Javascript, Lua, and C# (.NET)

    • Thank you again for the informative reply. I saw two dbus-daemons running on my Ubuntu server; I killed the user d-bus daemon process running as me and nothing seems to break, so while it’s there, it doesn’t seem to be used by anything on my server.

    While I do note that systemd man page, it goes in to no detail about how dbus leaks the environment.

    Looking at the D-Bus specification [1], org.freedesktop.DBus.UpdateActivationEnvironment is the only thing which concerns itself about the environment. It says that the “session bus activated services inherit the environment of the bus daemon”, so it looks like the D-Bus leakage is any system-level environmental variables set when the D-Bus daemons are started, or any variables set using UpdateActivationEnvironment.

    The concern here appears to be that system-level environmental variables aren’t safe. Now, nothing about a user process setting something like export FOO="top secret password" being unsafe.

    I have already noted the various ways environmental variables can leak over at https://github.com/samboy/rg32hash/blob/master/C/microrg32.m... and will update the D-Bus information based on what I read in the D-Bus spec.

    [1] https://dbus.freedesktop.org/doc/dbus-specification.html

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts