Terrific summary. Thanks. Completely agree that the problem is not the maintainers; rather the blind exploitation of their work, which is all too often completely taken for granted. After all, anyone could have spotted and fixed this - even someone being paid to do so.
Thank you so much for this video, it really helped me get my head around what was going on. I appreciate you taking the time out of your day to speak about it!
Stuff like this makes me always feel bad for big open source project mantainers and i completely agreenwith your final discourse. Too many parts rely and exploit the "open" part of open source. Grest video as always!
Thank you for the explanation, as someone who is younger and wasn't coding pre-2016 I was really confused about how such a feature even existed allowing code to be executed remotely and also as someone who hasn't worked on or maintained any open source projects understanding how such a feature could make it through.
I think you're missing the point of Open Source. Remember Java itself wasn't Open Source, and it's very, very possible that lots of contemporary proprietary code contains such vulnerabilities, it's just undiscovered or unpublicized. Sorry to be defensive, but you seem to be implying FOSS is at fault in some way, when it's much more accurate to say this vulnerability could be examined and patched much more easily because it is Open Source. In fact, the possibility for it to have this video made about it is precisely because it is Open Source. Forget about understanding Apache vulnerabilities, you need to educate yourself about how FOSS works.
@@squirlmy I'm not quite sure what you are arguing or defending. Nowhere did I say anything negative about open-source. I simply said that I gained a better understanding of how something could make it through to an open source project - because maintainers are working for free, they have limited time, and many projects are complex so some things slip through. You seem to be under the impression that I somehow am against open source? Yes, non-FOSS proprietary software can definitely, and does, have vulnerabilities like this. I never denied that nor stated that non-FOSS is better than FOSS. FOSS is better than non-FOSS in transparency and fixing vulnerabilities. I don't think there is blame to be placed on anyone here, not every situation must have a guilty party. I think you read my comment and assumed I was against FOSS and was blaming it. That's not the case
@@erict8960 Talking from work experience, even paid jobs (high paid ones as well) suffer from the same thing, either too much work or out of touch leaders can merge/commit code that has vuln into the main tree. it happens all the time. You just hope that there is a security/QA team that can capture it before it gets released into the wild.
Thanks for the quick digestible coverage! I'm using the analogy of SQL injection for discussion purposes of this exploit since most devs are hyper aware of that exploit. Are the there other ways this vulnerability is being utilized that is not in the form of log injection?
![BLACK BAG - Official Trailer [HD] - Only in Theaters March 14](http://i.ytimg.com/vi/Du0Xp8WX_7I/mqdefault.jpg)
Terrific summary. Thanks. Completely agree that the problem is not the maintainers; rather the blind exploitation of their work, which is all too often completely taken for granted. After all, anyone could have spotted and fixed this - even someone being paid to do so.
Thank you so much for this video, it really helped me get my head around what was going on. I appreciate you taking the time out of your day to speak about it!
The explanation I've been looking for. Thank you so much!
Hey Anthony, this was helpful. I just wanted to say thanks.
Your great man the way you explain this is simply super
Stuff like this makes me always feel bad for big open source project mantainers and i completely agreenwith your final discourse. Too many parts rely and exploit the "open" part of open source. Grest video as always!
Woonsan Ko will forever be known for Log4Shell....
Thank you for the explanation, as someone who is younger and wasn't coding pre-2016 I was really confused about how such a feature even existed allowing code to be executed remotely and also as someone who hasn't worked on or maintained any open source projects understanding how such a feature could make it through.
I think you're missing the point of Open Source. Remember Java itself wasn't Open Source, and it's very, very possible that lots of contemporary proprietary code contains such vulnerabilities, it's just undiscovered or unpublicized. Sorry to be defensive, but you seem to be implying FOSS is at fault in some way, when it's much more accurate to say this vulnerability could be examined and patched much more easily because it is Open Source. In fact, the possibility for it to have this video made about it is precisely because it is Open Source. Forget about understanding Apache vulnerabilities, you need to educate yourself about how FOSS works.
@@squirlmy I'm not quite sure what you are arguing or defending. Nowhere did I say anything negative about open-source. I simply said that I gained a better understanding of how something could make it through to an open source project - because maintainers are working for free, they have limited time, and many projects are complex so some things slip through. You seem to be under the impression that I somehow am against open source? Yes, non-FOSS proprietary software can definitely, and does, have vulnerabilities like this. I never denied that nor stated that non-FOSS is better than FOSS. FOSS is better than non-FOSS in transparency and fixing vulnerabilities. I don't think there is blame to be placed on anyone here, not every situation must have a guilty party. I think you read my comment and assumed I was against FOSS and was blaming it. That's not the case
@@erict8960 Talking from work experience, even paid jobs (high paid ones as well) suffer from the same thing, either too much work or out of touch leaders can merge/commit code that has vuln into the main tree. it happens all the time. You just hope that there is a security/QA team that can capture it before it gets released into the wild.
Great explanation. Thank you!
Thanks for the quick digestible coverage! I'm using the analogy of SQL injection for discussion purposes of this exploit since most devs are hyper aware of that exploit. Are the there other ways this vulnerability is being utilized that is not in the form of log injection?
it can run arbitrary code, it is very different from a sql injection (which is usually around data extraction or validation bypass).
Is JNDI the only Java API that makes log4shell possible?
Great explanation!
What's the blue ball between the keyboards?
it's a fidget spinner -- amzn.to/35PmPQr
Who’s going to patch the Rover?
lol, I hope either (1) it doesn't accept arbitrary user input or (2) they can remote update it
Lets the old people who use JNDI burn in hell! (I work with the JVM since 2002).