Are people still looking at Log4j code, or has everyone moved on from it?

1.9k views3 Comments

VP, Director of Cyber Incident Response in Finance (non-banking), 10,001+ employees
I'm surprised that the roar over Log4j has dulled and gone quiet. I expected it to go on much longer than it did, and thought I would have seen a lot of security bug folks looking at the code even closer and finding a lot more issues than what’s been published. It’s almost like an afterthought now.
Founder/Chairman/CTO in Telecommunication, 201 - 500 employees
People looking at the Log4j code itself are operating on the idea that if there are dragons, then there'll be dragons. It’s probable there is more to find down there. We've also seen a phenomena I refer to as research clustering, which is unvalidated JNDI or misdirection within a Java app. That's probably in other places as well, not just Log4j. I think there was a disclosure in Jfrog and there are a couple others that have come out since.

In general, the panic around Log4j subsided quickly, perhaps because everyone was just tired. That's something that I've heard a lot. CISOs and even vendors were saying, "We really needed the holiday this year. Then this bug came up and just took us all out." That forced risk-based thinking around response in a way that might not always happen.
SVP in Finance (non-banking), 1,001 - 5,000 employees
There are people who have successfully exploited Log4j, but we haven’t seen any headlines related to it outside of the fact that there was a vulnerability. That could be why it's been a bit forgotten, because we haven't had news stories around it from an incident perspective. But bad actors who exploited Log4j could be in your environment right now, patiently waiting. It’s a hard situation to figure out at the moment. With Log4j, all you can do is start with your perimeter, do everything you can and then work your way through patching the apps, because it will be ongoing for years to come.

Content you might like

No plans on undergoing a migration yet34%

Currently deploying SAP S/4HANA27%

Migrating to SAP S/4HANA within the next 1-2 years19%

Migrating to SAP S/4HANA within the next 3-6 years9%

Already have SAP S/4HANA in production9%


31.6k views154 Upvotes32 Comments

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
48.7k views133 Upvotes326 Comments