Log4J Vulnerability (Log4Shell) Explained - for Java developers

Log4j 2.17 is out for vulnerabilities discovered in 2.16

More than the knowledge on this topic, I am overwhelmed by your thought towards people contributing for open source tools/apps. Your thoughts towards open source community is SO PURE. KUDOS!!! It's not always MONEY that matters, by the way. People like you having such noble intent towards society and community. KEEP THIS SPIRIT ON!!! Thanks

Explained well. I like the "Support model" you were talking about.

Kaushik your words are ultimate..you got to be the professor for all java developers as like in money heist serial.!

AS usual, the best teacher out there, thanks Koushik!

6:15 So much backward compatibility that even my great grandmother code can work on latest version of jvm 🧐🧐🤣 this line got me 👑👑😆

I’m a total layman on this and am just informing myself so that I understand what is happening with my work’s response to the vulnerability. Your content is so clear yet detailed. Absolutely fantastic.

I am watching this almost more than a year after this was released (yup, I'm not a techie/tech geek), and I have watched quite a few videos trying to understand this issue (esp. for non-techies), and this is one of the best videos explaining this issue!! And this is coming from a non-technie! Kudos!

I was not satisfied with other contents out there. The moment I noticed your video I was sure before watching that now I am going to get 101% correct understanding as usual. Thanks a lot Koushik!

Tech part is very well explained - no doubts in it. There is the touchy note for the moral responsibility. Very well expressed as well. The businesses that aspire and build themselves on these open source tools are often making huge profits but fail to recognize these underpinning elements that made things possible. So yes, a kudos to you for bringing this up.

All things were explained well and with satisfaction.
Well Koushik, I love your last statement and idea. Organizations should pay to open source communities.

Got the clear picture about the vulnerability after watching your video. Thank you.

The most epic explanation !! thank you, as a fellow Java dev, this is one of my fav Java channels

Explanation and support nd moral obligation logic is point to note by industry..

The best explanation about Log4J Vulnerability, Thank you for explaining fully

Thank you so much for your explanation, I have red lots of articles to understand this Vulnerability but it was not absorbed till i saw this video

As head developer of a document handling web application, I was the main target of frantic calls both internal and external. I didn't mind! It was one of those times when you could give a short definite answer that satisfied everyone. I wish all my support tickets were that way.

This is the only channel I would press the JOIN button for.

Thanks so much. I'm a c#/dotnet developer and I've seen my Java dev friends freaking out and now i get why.

Excellent explanation with real time example.

Good technical explanation. I myself as a budding developer have not gotten into logging (actually this whole vulnerability stuff has just made me more curious about it so down that rabbit hole I go lol) as of yet but once you brought things into context of SQL IAs I understood much better the implications. Thanks for the video.

0:01 Intro
1:02 What is it
1:42 Security vulnerability
4:00 What exactly is the problem
8:22 Example
13:02 How to solve
18:42 Reality
20:34 Outro

You are 100% right, open sources should be funded by big corporations who depends on them for continuous development and vulnerability assessments

Your teaching style is fantastic. Could you perhaps do some microservices-related videos for us? such as microservice transactions, log tracing, and other microservice-related challenges

Thank you for explaining this so well. Grateful to you 😀

you were the first to explain how the exploit worked. I get it now and get why it will be hard to fix. It was found April 2021just like most things the person who found it let the community fix it and release a patch before saying it is a thing. The media got wind of a security patch for something almost all companies use a day before the patch was released. So it blew up in the media. The patch was not tested enough and a new exploit was put into it due to that. Secure code with 0 exploits is hard to write. You always have to depend on the dependency code to not have a exploit in it. The actual way to fix it is to get rid of all dependencies and write it that way. The down side will be bugs and exploits found in the parts needed from them will most likely be copied to it while the parts not needed will not be remade nor copied over to the library. It will also make a bigger library file due to everything needed to work being included in said file. It isn't how java is traditionally written either.

Thank you for explaining this simple. Great content as always

I was really waiting for your video about this vulnerability issue. Thanks lot 😊

Thanks a lot for sharing the great and most useful information. I'm sure this is gonna be asked in interviews.

Your narration is really good. After going through the video i can understand the severity of this attach.
Also your corporate support approach is interesting, hoping all big companies will share there CSR to these kind of projects

Great Explanation, loved every part of it. Waiting for next video on this topic explaining what they did to resolve this vulnerability in the latest patch!

Amazing delivery with rich content. Love it! Thanks a lot.

Feels, this one video is enough to understand log4j.

Excellent explanation. I particularly liked the ending note (thoughts).

Excellent explanation, well done. Now, not being a Java fan since it was considered bulletproof back in the 90’s, it really surprised me to find out about the JNDI functionality. I see this as a backdoor and, by default, would always have it closed by royal decree. Thanks for the video!

Really appreciate your time making this video. Thank you!

Simple explanation for a bigger problem 👍

I am so happy I thought of SQL injection before he pointed it out.

Well done! Very clear explanation of this problem. Thanks!

Amazing Explanation!!! Thanks a lot!

Nice Thought about Moran Responsibility , We should think it.

That criticism of “many eyes” is so moot I won’t even comment about it.
Corporate funding / contributions of core common open source libraries still remains a problem on the other hand. Although it is well known and several projects have found ways to alleviate the situation over the last two decades.
Other than that - good evenly paced explanation and examples 👍

Finally understood at least ‘what’ and ‘how’ of it

Thank you for beautifully explaining this vulnerability

Would like to say SUPERB EXPLANATION

Great Thoughts About The Open Source Teams...

Great and very detailed explanation!

Thank you for the wonderful, informative video.

Just one of those video you log in just to like and subscribe after watching. Thank you

Brilliant discussion

Very clear explanation as always. Your words does not only make us understand stuff but also allow us to think forward which is important.

Nice and clear explanation! Thanks

Excellent explanation, also the idea of support model 👍👍

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. When the logging configuration uses a non-default Pattern Layout with a Context Lookup (for example, $${ctx:loginId}), attackers with control over Thread Context Map (MDC) input data can craft malicious input data that contains a recursive lookup, resulting in a StackOverflowError that will terminate the process. This is also known as a DOS (Denial of Service) attack.

Amazing Explanation, just loved it. I have been pondering over various articles to figure this out. @JavaBrains

Thank you for the great Explanation

Thank you so much for detailed explanation Sir!!

As an enterprise SAP developer you learn it hard way - every external library becomes your liability the moment you start using it.

Spot on Kaushik.

Really well explained 👍👍

Well done and the timely resolution on this matter.

How was this vulnerability discovered kaushik? The video did give a good understanding over the concept... It would nice to understand how it was detected and mitigate was proposed... That will be good use case to discuss over open source frameworks

Nicely Explained 👍👍

Very well explained

Very well explained thanks

Thanks for this high quality content.

Nicely explained. Thanks

This again shows the importance of secondary security measures. When you whitelist ups for outgoing internet connections for example this bug is almost impossible to exploit as you need to be able to connect to a malicious ldap server.

Great explanation

@2:31 nope, I actually do secuirty audits on the source code of 3rd party libraries before using them in secuirty sensitive applications and I also do the same for the native java API too.

awesome explanation

Very interesting snd well explained!

Best explaination

My primary problem here is that those flags aren't false by default.
My secondary problem is that someone at that logging library thought evaluating random strings was a good idea.

such a great video. Thanks.

As always great content. Thanks a lot.

Great video! Thanks a lot

Yo, so that vulnerability is very similar to SQL injection, right?
Omg, I literally have just written this comment, unpaused the video and on the very next frame you started discussing similarity to SQL injection, what a coincidence 😅
Great video tho, the explanation I actually wanted to hear, thanks a lot! 😊

The argument for open source is correct, but there's also another argument for proprietary code:
1. You don't know if they introduce back-doors on purpose
2. If someone finds an unknown backdoor then maybe this never get disclosed because no peers looking at it.

This is an amazing video!

I got this issue on Saturday and had to upgrade the log4j version to 2.16 over the weekend and then released in production..

Earlier they were saying update to 2.15.0 than vulnerability found in it and they have resolved in 2.16.0 version, even we updated the version to 2.16.0 now vulnerability found in 2.16.0 as well. Not sure how many vulnerabilities are present in log4j2 jar and this is getting frustrating day by day.

Looking back on the Minecraft side this was causing Panic and legit caused players to stop playing Java Edition until it was fixed (It was so bad it shutdown the 2B2T Server which takes a lot to do but before it did one of the members was using the exploit to patch the exploit and another one might be on the FBI or whatever equivalent Most Wanted list)
Bedrock wasn't affected since it used C++

so many similar vulnerabilities like this

well explained!!!

Great explanation. However I have not understood how the hacker will modify my logging statements that uses log4j and add a lookup to point to remote code?.

Good thoughts!

Thank you very much.

Thanks, Koushik for explaining the issue in many simpler terms... i have 2 questions
1->The log4j, in general, is vulnerable or their specific jar log4j-core is found to be vulnerable and if yes, then the projects are using the other log4j jars also need to be updated?
2-> The projects running on log4j 1. x version also needs to be upgraded and if currently not possible can they survive by putting the config of JNDI lookup to false in log4j.properties file?
Thanks in advance

You have superpower of explaining difficult things in easy words.
Nicely explained that companies don't value for free open source stuff ( that reminds me we don't thank you enough for making such great free content 😊).
Maybe 2nd version of this video would be (we always ask for more 😊).
1. Live example showing same vulnerability in action.
2. How exactly this issue is fixed. i.e. before and after comparison.

Thanks for the great explanation!

I saw other videos on the same, but no one explained it better than you. Thanks a ton.. !!

Good technical explanation. Relevant facts around it and at last thought provoking discussion. This was really worth the time. please make a video on how to contribute to open source. please use any open source project as example . Thanks a lot again

All those coders who use string concatenation instead of Log4J pattern for logging, now have an excellent excuse. lol😁

Just like open source we have "stack overflow" people don't realize the efforts and time people devote to help this community to keep going, be its open source or helping some developer out, we must respect and do what ever we can in order to get things going.

That last explanation about environment variables was exactly what happened to Brazilian government's covid app. They stole the AWS key and redirected the DNS to their server. 😂😂😂😂

Always comeback to learn from your tutorials from my early college days (around 2013-14). Kaushik you are really a great teacher who can convey the knowledge in simplified manner. Your view on Private companies donating money to these opensource project is spot on, but there is chances of these companies controlling the whole project and projecting their own agenda into it, so yes it would be great if we can support such projects financially but it's tricky one. Also I'm thankful for people like you who provide such a quality stuff, I have nothing but deep gratitude and I'm planning to become member of your channel to support what you're doing, keep doing this we need more people like you :)

The last part of the video regarding supporting open source software is really thoughtful. Thank you.

The ppl who written the sysout instead of logger will be rewarded now I believe

Thank you for explaining this. Especially the thought about many companies making money out of using open-source libraries but not giving back to the open-source volunteers.