As the Log4J Problem swarmed the Internet, I’ve been thinking about the possible – Solutions. But, I found a blog post that pretty much covered it https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot.
Solution for the older versions, Application Server Administrators could remove the unused Appenders from the Jar File. If an app is logging only to Files or to Console, there is no problem – to remove JMS, Socket, JNDI and other types of logging implementations.
The problem with log4j CVE-2021-4428 / Log4Shell – can be found in
- Tesla (the car),
- Steam,
- Apple iCloud,
- vmware vCenter,
- iPhone,
- Elastic search/Logstash,
- Google Voice
- Smart Watches
- cctv Systems, printers…
It is unimaginable – how one small Library could have so much impact.
In this direction, I’ve written – the Logging Best Practices.
- Using Object Oriented Interfaces/facades/Capsulation
- Runtime Settings
- Minimal Dependencies by sometimes- Repeating Yourself