Agree log4j 2.17 is out, but this is what I found in website: In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. Usage of JNDI in configuration now needs to be enabled explicitly. Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. The message lookups feature has been completely removed. Lookups in configuration still work. From version 2.16.0 (for Java 8), the message lookups feature has been completely removed. Lookups in configuration still work. Furthermore, Log4j now disables access to JNDI by default. Users are advised not to enable JNDI in Log4j 2.16.0. If the JMS Appender is required, use Log4j 2.12.2.
I was not satisfied with other contents out there. The moment I noticed your video I was sure before watching that now I am going to get 101% correct understanding as usual. Thanks a lot Koushik!
Just like open source we have "stack overflow" people don't realize the efforts and time people devote to help this community to keep going, be its open source or helping some developer out, we must respect and do what ever we can in order to get things going.
You have superpower of explaining difficult things in easy words. Nicely explained that companies don't value for free open source stuff ( that reminds me we don't thank you enough for making such great free content 😊). Maybe 2nd version of this video would be (we always ask for more 😊). 1. Live example showing same vulnerability in action. 2. How exactly this issue is fixed. i.e. before and after comparison.
Your make a brilliant point. Often see huge companies tap into open source and brag about it, but forgetting to support the people actually doing it financially.
More than the knowledge on this topic, I am overwhelmed by your thought towards people contributing for open source tools/apps. Your thoughts towards open source community is SO PURE. KUDOS!!! It's not always MONEY that matters, by the way. People like you having such noble intent towards society and community. KEEP THIS SPIRIT ON!!! Thanks
Thank you for explaining this. Especially the thought about many companies making money out of using open-source libraries but not giving back to the open-source volunteers.
I am watching this almost more than a year after this was released (yup, I'm not a techie/tech geek), and I have watched quite a few videos trying to understand this issue (esp. for non-techies), and this is one of the best videos explaining this issue!! And this is coming from a non-technie! Kudos!
Always comeback to learn from your tutorials from my early college days (around 2013-14). Kaushik you are really a great teacher who can convey the knowledge in simplified manner. Your view on Private companies donating money to these opensource project is spot on, but there is chances of these companies controlling the whole project and projecting their own agenda into it, so yes it would be great if we can support such projects financially but it's tricky one. Also I'm thankful for people like you who provide such a quality stuff, I have nothing but deep gratitude and I'm planning to become member of your channel to support what you're doing, keep doing this we need more people like you :)
I am not an IT professional but I know people who are and frantically working to resolve there log4j issues. Atleast I know why now. This vid might be for java pros, but the explanation was clear even for a layman like me. Cheers!
I’m a total layman on this and am just informing myself so that I understand what is happening with my work’s response to the vulnerability. Your content is so clear yet detailed. Absolutely fantastic.
There is not general good PR in funding things like log4j because it is not something the general public will understand or even see as good. Compared to when companies fund general public needs, which everyone understands. In other words, things will get funded, if the general public understands why it is a good thing that the company funds it. So, it is not necessarily the companies which are evil, but funding something while getting nothing out of it (because your competitor does not fund it), will leave you with a loss.
Excellent talk. Always, always sanitize any input your application gets, from any source. Use one class that receives that input and filters it. I have seen clever programmers doing it that way. Every programmer should do this. My ISP’s router has such a vulnerability, my Xiaomi router has such a vulnerability. It is way too common.
Logs have a special functionality. I don't think having a whitelist in logs is a good idea. I mean imagine an attacker trying to fudge your application everyday and you never know because you have a whitelist around it and one day he succeeds.
I was watching this in Incognito mode but this explaination is so awesome that I had to come here to like it and comment on it. Awesome stuff. Thanks for all this effort.
I am 100% agree with your last statement. Big companies should contribute to open source community, these biggies are already investing in PR. There should be competitive environment in these giants that how much they are contributing to the open source community.
Our engineers promptly upgraded the version of log4j as soon as it came to light, I just came here to understand what exactly happened. But my biggest takeaway is what you said at the end. The moral responsibility. I am responsible for the modernization journey of one of the business unit for our company, and I always advocated to use only open source projects. Which was successfull. But, to my shame, yes, I never thought about this. We are a multi billion dollar org, and I'll make sure to have a conversation with the right people in our org chart to see if we can do our bits to support atleast the open source projects that we use. Thank you for your insight. ❤
Brilliant Sir, I agree with you , enterprises should have responsibilitiy to fund , securing these open source software. After all they have made billions in using these libraries to develop & sell software all these years.
Tech part is very well explained - no doubts in it. There is the touchy note for the moral responsibility. Very well expressed as well. The businesses that aspire and build themselves on these open source tools are often making huge profits but fail to recognize these underpinning elements that made things possible. So yes, a kudos to you for bringing this up.
Good technical explanation. Relevant facts around it and at last thought provoking discussion. This was really worth the time. please make a video on how to contribute to open source. please use any open source project as example . Thanks a lot again
2 роки тому+8
Thanks for the crystal clear description of the problem. Not being a Java person myself, I had trouble understanding it first. It was not in my mind that a widely used Java lib could just like that interpret '${lookup}' stuff simply from user input. Even if there was no code injection possible, this is also a giant door open to DoS attacks as someone could just use a slow ldap and inject lookups just from the input. Forget ldap, jndi or whatever. Interpreting _anything_ , in _any_ way that can come from user is insecure in nature and should be done with extreme caution.
I totally agree with the argument that organizations in today's world are using lot of open source and making money out of it , so morally and ethically they can put some money back to the open source and make it more secure . Thank you for the great video.
All things were explained well and with satisfaction. Well Koushik, I love your last statement and idea. Organizations should pay to open source communities.
I was excited throughout the video just like him. The big companies took log4j and its security for granted. Not just 2020, even 2021 will be remembered in history.
I used to work as a paid open source developer. Meaning, the company I worked for felt that the value they received from open source software was worth hiring someone full time to work on their implementation of that software and give any improvements back to the community. As part of my masters project I did a study of open source in the corporation and found that many of the people I surveyed who work on open source are actually paid to do so. Meaning they work in a similar situation as mine in that they contribute to open source what they are paid to work on for their company. Granted this was over a decade ago and so I am not sure how it has changed. Open source is a varied and vast world and there are as many motives to contribute as there are people it seems. Corporate sponsorships of big and small projects are still popular, but I agree that it is impossible, even with many eyes looking at the code, to find all the vulnerabilities. This is a good example of that.
your last message really touch me, it really rise a question on how we support open source. also stay strong for all java programmers out there, it's been a hard time especially near year end holidays
The only video on youtube with such comprehensiveness about this vulnerability. This is what makes Java Brains stand apart from other tech channels. Thanks Koushik !
That explains the problem very well rather than any other places I have seen. Thank you very much. And a very good point to be taken into thought at the end of your video. Big companies are making money out of open source projects and basically those open source projects contributed to the income they have made. Open source projects never mandates to pay them back if someone using their projects and making money out of it but those companies should have a self responsibility to contribute/fund back in the open source projects. Because there are number of people who are working to improve without getting paid a penny. Hats off for them. So the companies who never did their part, cannot blame at open source projects.
I work for Oracle’s hospitality solutions team. We just patched our software products for this vulnerablility. Mainly affected are payment interfaces we had to patch and we completed it late last week. The challenge was that many of our clients were on different versions of that affected payment interface so we had to upgrade all those clients to a specific minimal version of the interface and then backpatch to that. The solution and script was relatively easy. We mostly moved some files around without being able to get into too many details. Definitely not what we wanted before the holidays ;)
Open-source != secure. Many eyes is not the argument. The argument is: 1) You may audit log4j, if security is a concern. 2) This information about the vulnerability is public and you may handle that the way you prefer. Otherwise, the vuln. might be kept hidden by the owner to manage reputation. 3) You do not have to wait for months to get a fix. If log4j is not fixed immediately by the "team", then it is forked and fixed by someone else. Everyone is a stakeholder.
It is not that simple. - How would you do this audit? As there is, to my knowledge, no guaranty that the source code on git is the one in the actual libraries you are running unless you compile them all yourself. This requires you to do an audit for every new pull request. - There is no guaranty that the information about a vulnerability is open even if the project is open source. - This is only true if you build your own software. If you buy something with open source included you are still dependent on the provider to update In the end all software should be considered a vulnerability and you have to use defense in depth. In this case a good firewall policy would solve the entire issue.
@@EspenSkaufel While I don't think open-source software is more secure, it is most definitely NOT less secure than closed-source software. Either way we must put our trust in a 3rd party entity, and hope they don't put in a backdoor or unintentional vulnerability.
@@lucass8119 It is, as you say, about trusting a third party. I do not think open/closed source is a good metric to measure security, but at least open source makes it easier to see who did what after the fact.
you were the first to explain how the exploit worked. I get it now and get why it will be hard to fix. It was found April 2021just like most things the person who found it let the community fix it and release a patch before saying it is a thing. The media got wind of a security patch for something almost all companies use a day before the patch was released. So it blew up in the media. The patch was not tested enough and a new exploit was put into it due to that. Secure code with 0 exploits is hard to write. You always have to depend on the dependency code to not have a exploit in it. The actual way to fix it is to get rid of all dependencies and write it that way. The down side will be bugs and exploits found in the parts needed from them will most likely be copied to it while the parts not needed will not be remade nor copied over to the library. It will also make a bigger library file due to everything needed to work being included in said file. It isn't how java is traditionally written either.
This was the best explanation of the weakness that I've found. Thank you. The bad news is that even if a large investment is made in open source today, it will take time to find and fix similar issues. The bad guys will be looking to not only exploit this issue, but be searching for similar ones and this creates a race condition in which they likely have a head start.
Super easy and complete explanation of Log4j. I also support your view on open source, with adversaries on the lookout, from security perspective, it is definitely recommended to avoid open source where you can. You are exposed when the code is exposed.
You are really a reliable source of education/reference in Java world by addressing current/trending issues with a great explanation video. Much appreciated & thanks for your great works. 🙏🏻
Thank you for the great explanation, As a cyber security analyst this helped me alot to understand the problem in a clear way, and the way jndi works. ⭐️⭐️⭐️⭐️⭐️
The corporate world sees only budgets and bottom lines and would scoff at any kind of "contribution" to a fund for supporting open source software development. It appears no one can be held accountable for this oversight. So no one can be blamed for it. I agree with you that this is a major example of the weakness of open source and the assumptions that go with it.
Thanks for the great explanation of Log4J. I never really fully understood what it was till I watched this video. Thanks for taking the time to post it.
Brilliant explanation. Thanks and though you said you are not a security expert, many of them on TV can hardly clarify it this way. The profit making companies will not spend to invest in open source. But stash their money in safe havens.
That criticism of “many eyes” is so moot I won’t even comment about it. Corporate funding / contributions of core common open source libraries still remains a problem on the other hand. Although it is well known and several projects have found ways to alleviate the situation over the last two decades. Other than that - good evenly paced explanation and examples 👍
Thanks for this interesting video. I did a lot of Java work about 10 years ago (now retired). I did use Log4J when I needed to find particularly difficult bugs that only surfaced in the production environment. Usually there would be some screwy set of data that was unforseen during the QA process. So I would create a special release and then log the heck out of everything. I never liked logging in the production environment because it was a hit on performance. So if I had logging code in there I would turn it off somehow. I don't think Java has the #ifdef feature to remove sections of code from final compilation as C++ does. So I don't recall exactly how I did it. Anyway, that is another possible solution in addition to the ones you mentioned.
Good technical explanation. I myself as a budding developer have not gotten into logging (actually this whole vulnerability stuff has just made me more curious about it so down that rabbit hole I go lol) as of yet but once you brought things into context of SQL IAs I understood much better the implications. Thanks for the video.
As head developer of a document handling web application, I was the main target of frantic calls both internal and external. I didn't mind! It was one of those times when you could give a short definite answer that satisfied everyone. I wish all my support tickets were that way.
Hi Koushik, you are always easy to understand. Thanks for sharing this. Opensource runs the entire world of technology and internet. Its high time for big companies earning billions and millions ,give it back to community. Hope to see have morale support for opensource volunteers and some business model to preserve this wonderful world of opensource.
I have been watching for this vulnerability and no one explains it that well on UA-cam. I think this video explained it very clearly and very good resource for tech people to get some understanding of this vulnerability.
Such lucid explanation👏👏👏. Please make such videos on other outages and attacks. There are lot of people I know who would love to hear your POV on such topics.
Really very nice explanation. In simple words, everyone in java world (since last 8 years) became fools because of this issue.. we don't know that what are other open-source libraries (like apache commons or commonly used libraries) may have issues as cvss score as 10.
Excellent explanation, my team of pen testers have been ensuring our systems are patched, this is by far one of the best examples, I will be doing a walkthrough of Log4j in a week in our channel to help our student base. Keep up the great work
Log4j 2.17 is out for vulnerabilities discovered in 2.16
Pp
Agree log4j 2.17 is out, but this is what I found in website:
In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. Usage of JNDI in configuration now needs to be enabled explicitly. Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. The message lookups feature has been completely removed. Lookups in configuration still work.
From version 2.16.0 (for Java 8), the message lookups feature has been completely removed. Lookups in configuration still work. Furthermore, Log4j now disables access to JNDI by default. Users are advised not to enable JNDI in Log4j 2.16.0. If the JMS Appender is required, use Log4j 2.12.2.
Word!
Yeah new patch coming
@@abhishekbs9639 if may server is secure by vpn and other things like vpn , no port access from outside
can still java application can get hacked ??
I was not satisfied with other contents out there. The moment I noticed your video I was sure before watching that now I am going to get 101% correct understanding as usual. Thanks a lot Koushik!
Agree with you brotha. U gotta love Koushik man… he the 🐐
exactly the same here. This video gave me a lot of relief and I immediately subscribed for it.
Best video on the topic. Thanks for sharing your knowledge
Just like open source we have "stack overflow" people don't realize the efforts and time people devote to help this community to keep going, be its open source or helping some developer out, we must respect and do what ever we can in order to get things going.
I saw other videos on the same, but no one explained it better than you. Thanks a ton.. !!
You have superpower of explaining difficult things in easy words.
Nicely explained that companies don't value for free open source stuff ( that reminds me we don't thank you enough for making such great free content 😊).
Maybe 2nd version of this video would be (we always ask for more 😊).
1. Live example showing same vulnerability in action.
2. How exactly this issue is fixed. i.e. before and after comparison.
Hi Koushik, could you share which microphone and recording software do you use for recording?
Your make a brilliant point. Often see huge companies tap into open source and brag about it, but forgetting to support the people actually doing it financially.
Very true and these same companies often spend fortunes for mocrosoft and orakle product lockins and endless forced migrations.
0:01 Intro
1:02 What is it
1:42 Security vulnerability
4:00 What exactly is the problem
8:22 Example
13:02 How to solve
18:42 Reality
20:34 Outro
More than the knowledge on this topic, I am overwhelmed by your thought towards people contributing for open source tools/apps. Your thoughts towards open source community is SO PURE. KUDOS!!! It's not always MONEY that matters, by the way. People like you having such noble intent towards society and community. KEEP THIS SPIRIT ON!!! Thanks
Thank you for explaining this. Especially the thought about many companies making money out of using open-source libraries but not giving back to the open-source volunteers.
The last part of the video regarding supporting open source software is really thoughtful. Thank you.
6:15 So much backward compatibility that even my great grandmother code can work on latest version of jvm 🧐🧐🤣 this line got me 👑👑😆
This is by far the best Log4J vulnerability explanation on the internet
I am watching this almost more than a year after this was released (yup, I'm not a techie/tech geek), and I have watched quite a few videos trying to understand this issue (esp. for non-techies), and this is one of the best videos explaining this issue!! And this is coming from a non-technie! Kudos!
Always comeback to learn from your tutorials from my early college days (around 2013-14). Kaushik you are really a great teacher who can convey the knowledge in simplified manner. Your view on Private companies donating money to these opensource project is spot on, but there is chances of these companies controlling the whole project and projecting their own agenda into it, so yes it would be great if we can support such projects financially but it's tricky one. Also I'm thankful for people like you who provide such a quality stuff, I have nothing but deep gratitude and I'm planning to become member of your channel to support what you're doing, keep doing this we need more people like you :)
The way you ended the video with that thought provoking message is awesome
Your channel has been a single source of truth for all things Java for me for a very long time now. Thank you for the explanation.
Came for the vulnerabilty ,
Left with a beautiful message .
Thank you .
I am not an IT professional but I know people who are and frantically working to resolve there log4j issues. Atleast I know why now. This vid might be for java pros, but the explanation was clear even for a layman like me. Cheers!
I’m a total layman on this and am just informing myself so that I understand what is happening with my work’s response to the vulnerability. Your content is so clear yet detailed. Absolutely fantastic.
Explained well. I like the "Support model" you were talking about.
Excellent presentation of the issue for technical and non-technical audiences. I am very impressed with your ability to explain topics.
There is not general good PR in funding things like log4j because it is not something the general public will understand or even see as good. Compared to when companies fund general public needs, which everyone understands. In other words, things will get funded, if the general public understands why it is a good thing that the company funds it. So, it is not necessarily the companies which are evil, but funding something while getting nothing out of it (because your competitor does not fund it), will leave you with a loss.
Excellent talk.
Always, always sanitize any input your application gets, from any source. Use one class that receives that input and filters it. I have seen clever programmers doing it that way. Every programmer should do this. My ISP’s router has such a vulnerability, my Xiaomi router has such a vulnerability. It is way too common.
Logs have a special functionality. I don't think having a whitelist in logs is a good idea. I mean imagine an attacker trying to fudge your application everyday and you never know because you have a whitelist around it and one day he succeeds.
Kaushik your words are ultimate..you got to be the professor for all java developers as like in money heist serial.!
So far one of the best explanations I've heard about this issue. Great job. "When was it really exploited?" Yes, great question...
I was watching this in Incognito mode but this explaination is so awesome that I had to come here to like it and comment on it. Awesome stuff. Thanks for all this effort.
I am 100% agree with your last statement. Big companies should contribute to open source community, these biggies are already investing in PR. There should be competitive environment in these giants that how much they are contributing to the open source community.
Dude, that is hands-down the most informative, entertaining, and accurate description of the log4j vulnerability that I've enjoyed. Thanks!
Our engineers promptly upgraded the version of log4j as soon as it came to light, I just came here to understand what exactly happened. But my biggest takeaway is what you said at the end. The moral responsibility.
I am responsible for the modernization journey of one of the business unit for our company, and I always advocated to use only open source projects. Which was successfull. But, to my shame, yes, I never thought about this. We are a multi billion dollar org, and I'll make sure to have a conversation with the right people in our org chart to see if we can do our bits to support atleast the open source projects that we use. Thank you for your insight. ❤
AS usual, the best teacher out there, thanks Koushik!
You are 100% right, open sources should be funded by big corporations who depends on them for continuous development and vulnerability assessments
One of the greatest explanations of this vulnerability
Brilliant Sir, I agree with you , enterprises should have responsibilitiy to fund , securing these open source software. After all they have made billions in using these libraries to develop & sell software all these years.
Tech part is very well explained - no doubts in it. There is the touchy note for the moral responsibility. Very well expressed as well. The businesses that aspire and build themselves on these open source tools are often making huge profits but fail to recognize these underpinning elements that made things possible. So yes, a kudos to you for bringing this up.
Good technical explanation. Relevant facts around it and at last thought provoking discussion. This was really worth the time. please make a video on how to contribute to open source. please use any open source project as example . Thanks a lot again
Thanks for the crystal clear description of the problem. Not being a Java person myself, I had trouble understanding it first. It was not in my mind that a widely used Java lib could just like that interpret '${lookup}' stuff simply from user input. Even if there was no code injection possible, this is also a giant door open to DoS attacks as someone could just use a slow ldap and inject lookups just from the input. Forget ldap, jndi or whatever. Interpreting _anything_ , in _any_ way that can come from user is insecure in nature and should be done with extreme caution.
Extreme caution = proper filtering and escaping to avoid injection. Something still not mandatory on most apps framework
And it took these many years to know the existence of this vulnerability!!!
Hats off!!
Thanks so much. I'm a c#/dotnet developer and I've seen my Java dev friends freaking out and now i get why.
I totally agree with the argument that organizations in today's world are using lot of open source and making money out of it , so morally and ethically they can put some money back to the open source and make it more secure . Thank you for the great video.
I am impressed by the level of detail you put here. Thank you for sharing this. The amount of detail is awesome.
All things were explained well and with satisfaction.
Well Koushik, I love your last statement and idea. Organizations should pay to open source communities.
Great video.. 👍👍👍
Thank you for detail explanation..
I agree with your point.. companies who are using log4j have moral obligation to support it.
I was excited throughout the video just like him. The big companies took log4j and its security for granted. Not just 2020, even 2021 will be remembered in history.
I don’t write Java, so my opinion is as a non-user, but this explanation was phenomenal. Thank you for dropping knowledge on me
Got the clear picture about the vulnerability after watching your video. Thank you.
I used to work as a paid open source developer. Meaning, the company I worked for felt that the value they received from open source software was worth hiring someone full time to work on their implementation of that software and give any improvements back to the community. As part of my masters project I did a study of open source in the corporation and found that many of the people I surveyed who work on open source are actually paid to do so. Meaning they work in a similar situation as mine in that they contribute to open source what they are paid to work on for their company. Granted this was over a decade ago and so I am not sure how it has changed. Open source is a varied and vast world and there are as many motives to contribute as there are people it seems. Corporate sponsorships of big and small projects are still popular, but I agree that it is impossible, even with many eyes looking at the code, to find all the vulnerabilities. This is a good example of that.
your last message really touch me, it really rise a question on how we support open source. also stay strong for all java programmers out there, it's been a hard time especially near year end holidays
This guy has become my favorite in the java world
This is the only channel I would press the JOIN button for.
The only video on youtube with such comprehensiveness about this vulnerability. This is what makes Java Brains stand apart from other tech channels. Thanks Koushik !
That explains the problem very well rather than any other places I have seen. Thank you very much. And a very good point to be taken into thought at the end of your video. Big companies are making money out of open source projects and basically those open source projects contributed to the income they have made. Open source projects never mandates to pay them back if someone using their projects and making money out of it but those companies should have a self responsibility to contribute/fund back in the open source projects. Because there are number of people who are working to improve without getting paid a penny. Hats off for them. So the companies who never did their part, cannot blame at open source projects.
As a second year CS major, thank you, great video.
The most epic explanation !! thank you, as a fellow Java dev, this is one of my fav Java channels
I work for Oracle’s hospitality solutions team. We just patched our software products for this vulnerablility. Mainly affected are payment interfaces we had to patch and we completed it late last week. The challenge was that many of our clients were on different versions of that affected payment interface so we had to upgrade all those clients to a specific minimal version of the interface and then backpatch to that. The solution and script was relatively easy. We mostly moved some files around without being able to get into too many details. Definitely not what we wanted before the holidays ;)
Open-source != secure. Many eyes is not the argument. The argument is:
1) You may audit log4j, if security is a concern.
2) This information about the vulnerability is public and you may handle that the way you prefer. Otherwise, the vuln. might be kept hidden by the owner to manage reputation.
3) You do not have to wait for months to get a fix. If log4j is not fixed immediately by the "team", then it is forked and fixed by someone else. Everyone is a stakeholder.
It is not that simple.
- How would you do this audit? As there is, to my knowledge, no guaranty that the source code on git is the one in the actual libraries you are running unless you compile them all yourself. This requires you to do an audit for every new pull request.
- There is no guaranty that the information about a vulnerability is open even if the project is open source.
- This is only true if you build your own software. If you buy something with open source included you are still dependent on the provider to update
In the end all software should be considered a vulnerability and you have to use defense in depth. In this case a good firewall policy would solve the entire issue.
@@EspenSkaufel While I don't think open-source software is more secure, it is most definitely NOT less secure than closed-source software. Either way we must put our trust in a 3rd party entity, and hope they don't put in a backdoor or unintentional vulnerability.
@@lucass8119 It is, as you say, about trusting a third party. I do not think open/closed source is a good metric to measure security, but at least open source makes it easier to see who did what after the fact.
A big thank you. Kaushik for explaining issues bothering our teams.
you were the first to explain how the exploit worked. I get it now and get why it will be hard to fix. It was found April 2021just like most things the person who found it let the community fix it and release a patch before saying it is a thing. The media got wind of a security patch for something almost all companies use a day before the patch was released. So it blew up in the media. The patch was not tested enough and a new exploit was put into it due to that. Secure code with 0 exploits is hard to write. You always have to depend on the dependency code to not have a exploit in it. The actual way to fix it is to get rid of all dependencies and write it that way. The down side will be bugs and exploits found in the parts needed from them will most likely be copied to it while the parts not needed will not be remade nor copied over to the library. It will also make a bigger library file due to everything needed to work being included in said file. It isn't how java is traditionally written either.
Seen several video. But i felt complete on this issue once I saw this video from JavaBrain.
This was the best explanation of the weakness that I've found. Thank you. The bad news is that even if a large investment is made in open source today, it will take time to find and fix similar issues. The bad guys will be looking to not only exploit this issue, but be searching for similar ones and this creates a race condition in which they likely have a head start.
Super easy and complete explanation of Log4j. I also support your view on open source, with adversaries on the lookout, from security perspective, it is definitely recommended to avoid open source where you can. You are exposed when the code is exposed.
The best explanation about Log4J Vulnerability, Thank you for explaining fully
This is the first time I see a video for you.... you are amazing... keep it this way.... You are really amazing... Bravo!
You are really a reliable source of education/reference in Java world by addressing current/trending issues with a great explanation video. Much appreciated & thanks for your great works. 🙏🏻
Thanks for clearly explaining the problem and the solutions available to a non-dev. I agree that open-source users should contribute back.
Thank you for the great explanation, As a cyber security analyst this helped me alot to understand the problem in a clear way, and the way jndi works.
⭐️⭐️⭐️⭐️⭐️
The corporate world sees only budgets and bottom lines and would scoff at any kind of "contribution" to a fund for supporting open source software development. It appears no one can be held accountable for this oversight. So no one can be blamed for it. I agree with you that this is a major example of the weakness of open source and the assumptions that go with it.
Finally someone whose explanation helped me !!
Yes. Big (Atleast) Companies who uses Popular Open Source Applications need to Support them by fair funding.
Kaushik, Good Explanation. 👍🏽👏🏽
Kaushik bro , u make things so easy and interesting, video madiddakke dhanyavadagalu
Thanks for the great explanation of Log4J. I never really fully understood what it was till I watched this video. Thanks for taking the time to post it.
Threw a like for your great grandmother being a long time Java coder.
I love your way to talking and explaining things, keep this knowledge coming. many thanks
Brilliant explanation. Thanks and though you said you are not a security expert, many of them on TV can hardly clarify it this way. The profit making companies will not spend to invest in open source. But stash their money in safe havens.
This is where DevSecOps comes in. Secured by design and by default. good informative video.
Agree to all comments very very explained mate… we need a “Support Model” to support you
Well, we can always get his channels membership.
That criticism of “many eyes” is so moot I won’t even comment about it.
Corporate funding / contributions of core common open source libraries still remains a problem on the other hand. Although it is well known and several projects have found ways to alleviate the situation over the last two decades.
Other than that - good evenly paced explanation and examples 👍
Kaushik hai to mumkin hai.
Thanks Master.
Thanks for this interesting video. I did a lot of Java work about 10 years ago (now retired). I did use Log4J when I needed to find particularly difficult bugs that only surfaced in the production environment. Usually there would be some screwy set of data that was unforseen during the QA process. So I would create a special release and then log the heck out of everything. I never liked logging in the production environment because it was a hit on performance. So if I had logging code in there I would turn it off somehow. I don't think Java has the #ifdef feature to remove sections of code from final compilation as C++ does. So I don't recall exactly how I did it. Anyway, that is another possible solution in addition to the ones you mentioned.
Good technical explanation. I myself as a budding developer have not gotten into logging (actually this whole vulnerability stuff has just made me more curious about it so down that rabbit hole I go lol) as of yet but once you brought things into context of SQL IAs I understood much better the implications. Thanks for the video.
Thank you so much for your explanation, I have red lots of articles to understand this Vulnerability but it was not absorbed till i saw this video
As head developer of a document handling web application, I was the main target of frantic calls both internal and external. I didn't mind! It was one of those times when you could give a short definite answer that satisfied everyone. I wish all my support tickets were that way.
Hi Koushik, you are always easy to understand. Thanks for sharing this. Opensource runs the entire world of technology and internet. Its high time for big companies earning billions and millions ,give it back to community. Hope to see have morale support for opensource volunteers and some business model to preserve this wonderful world of opensource.
Your explanation was compelling and precise. Short and very informative. Thanks for that. Well down, good job !!!
God bless everyone actively participating in Open Source. They keep the internet active.
Loved the last thoughtful arguments and questions in the end!! Great work!
The ppl who written the sysout instead of logger will be rewarded now I believe
Yup 😀, sysouts would just be fine, this vulnerability will not effect them.
Wonderful video Kaushik! Unparalleled quality content!
Explanation and support nd moral obligation logic is point to note by industry..
Thank you kaushik for that 9:30 explaination. Finally understood what that expression was being used.
I have been watching for this vulnerability and no one explains it that well on UA-cam. I think this video explained it very clearly and very good resource for tech people to get some understanding of this vulnerability.
Best content by best mentor. Thanks a lot
Excellent explanation with real time example.
Great stuff..👏
This is the best video I have seen this year in UA-cam..
Such lucid explanation👏👏👏. Please make such videos on other outages and attacks. There are lot of people I know who would love to hear your POV on such topics.
Simple explanation for a bigger problem 👍
This is an impeccable video! Kudos, Koushik!
SQLInjection is the 1st thing that came into my mind when I learnt about it
Thanks so Much, one of the best explanations of the vulnerability.
Really very nice explanation.
In simple words, everyone in java world (since last 8 years) became fools because of this issue.. we don't know that what are other open-source libraries (like apache commons or commonly used libraries) may have issues as cvss score as 10.
Talk about simplifying.. excellent explanation Kaushik! Thank you 🙏🏼
Excellent explanation, my team of pen testers have been ensuring our systems are patched, this is by far one of the best examples, I will be doing a walkthrough of Log4j in a week in our channel to help our student base. Keep up the great work