Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
fomine3
on Dec 10, 2021
|
parent
|
context
|
favorite
| on:
Log4j RCE Found
It's horrible that the vuln is fixed in open PR, never assigned CVE, and never released fixed version unless 0day shown in wild.
88joshgree
on Dec 11, 2021
|
next
[–]
Yeah and by someone who works for palantir no less - wonder how long they have been using it!?
philipwhiuk
on Dec 11, 2021
|
prev
[–]
1. I believe that the zero day was released before the fix 2. There's no practical way to responsibly disclose a bug in a core library
88joshgree
on Dec 11, 2021
|
parent
[–]
Nah there was a PR to mitigate in 2016 ->
https://issues.apache.org/jira/browse/LOG4J2-2109
Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
