Talk:Log4Shell

Date format
This article currently uses DMY dates, but Log4j and other technology articles use MDY dates. I think it would be worth switching for consistency? &horbar;Jochem van Hees (talk) 12:35, 13 December 2021 (UTC)


 * ✅ - User94729 (talk) 14:00, 13 December 2021 (UTC)
 * I don't think there's a specific policy on technology articles, but we should definitely be consistent, so I agree. Ovinus (talk) 16:22, 13 December 2021 (UTC)

hi, I don't understand this edit. How was that a "recent test"? &horbar;Jochem van Hees (talk) 09:23, 14 December 2021 (UTC)


 * In general per MOS:RETAIN, there probably wasn't a need to change it either. I doubt one related article using it reduce ambiguity or similar (if it does, I wouldn't be opposed to changing the variant) — Berrely  • Talk∕Contribs 20:30, 14 December 2021 (UTC)

Technical explanation
I was going to add a more in-depth explanation of how the vulnerability works, maybe a couple paragraphs, but thought I should see what others think. It definitely has encyclopedic value by showing anyone with moderate computer knowledge how simple and dangerous the exploit is, and I doubt including it has any ethical concerns given how widespread information about it is—including on major tech websites. For reference, Heartbleed has a section explaining it, albeit poorly cited; Shellshock (software bug) has pretty extensive detail, including exploit code. Ovinus (talk) 14:38, 13 December 2021 (UTC)


 * You actually posted this while I was also looking into writing an explanation; it really could do with one. Currently the article doesn't even mention that it is triggered by pasting a certain string somewhere to get it to be logged, that seems like it is like basic information about the exploit. &horbar;Jochem van Hees (talk) 14:50, 13 December 2021 (UTC)
 * Agreed. User:Ovinus/sandbox contains my draft. Cheers, Ovinus (talk) 15:16, 13 December 2021 (UTC)
 * I think that's pretty good! For that citation needed at the end, I also found this source which also goes more into depth about the environment variables thing (in section 8): . &horbar;Jochem van Hees (talk) 15:32, 13 December 2021 (UTC)
 * Awesome, thanks a ton for the source—I was struggling to find something reliable of that detail. I've put it in the article now. Ovinus (talk) 15:42, 13 December 2021 (UTC)

Used before published, or published before used?
The article is written like it was published before people used it, but all the articles call it a "zero-day" implying that the attack was being openly used before it was published. I can't find a good way to confirm this either way. 142.55.0.16 (talk) 15:14, 13 December 2021 (UTC)


 * All I have been able to find is that the CEO of Cloudfare, Matthew Prince, tweeted that the earliest evidence of the exploit was on December 1. I don't know if that can be considered a reliable source though. &horbar;Jochem van Hees (talk) 15:34, 13 December 2021 (UTC)
 * Prince was quoted in this ZDNet article, which I think qualifies. And anyway, more and more sources will write about it, especially non-technical details like that. (As an aside, I'm really surprised how long it took for major news sources to pick this up; this could be one of the most consequential exploits in history....) Ovinus (talk) 15:46, 13 December 2021 (UTC)


 * Matthew Prince didn't specify how many exploit attempts there were before public disclosure and whether the attempt he found was actually trying to be malicious, so I think it might have also just been the discoverers trying out which services are affected (which they did, to create the screenshots circulating around). - User94729 (talk) 15:53, 13 December 2021 (UTC)


 * Oracle issued a patch for their JDKs in mid 2020, patch number 32105696, which appears to mitigate the related CVE-2021-4104 log4j1 exploit. I wonder how much they knew and when they knew it -- Mark J (talk) 17:19, 8 January 2022 (UTC)

Media coverage
This article has been mentioned in the media, or at least an omnibus blog. kencf0618 (talk) 20:46, 14 December 2021 (UTC)

https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/


 * That article mentions the Log4j article, not this one. Added a press template to the talk page there. &horbar;Jochem van Hees (talk) 21:00, 15 December 2021 (UTC)
 * Thank you. kencf0618 (talk) 20:52, 17 December 2021 (UTC)

The 8u121 fix
17:39, 15 December 2021‎ User94729 Undid revision 1060445070 "the fix in 8u121 was found to be insufficient to block this vulnerability until later versions,"
 * I do not understand this. The fix is sufficient to block remote class loading via JNDI.

Olekva (talk) 20:42, 15 December 2021 (UTC)

" and even then, there are still vulnerabilities in certain applications"
 * Which applications? Is it applications where  or   has been set to  ?

Olekva (talk) 20:42, 15 December 2021 (UTC)


 * See this link I just added as a citation. LDAP remote code loading was disabled much later in 8u191 and classes may still be loaded through other local classes in the classpath. Also, please wait for response from other editors before reverting the changes under discussion. - User94729 (talk) 20:59, 15 December 2021 (UTC)

Related bug, CVE-2021-45046, is now critical
The original severity of this CVE was rated as Moderate; since this CVE was published security experts found additional exploits against the Log4j 2.15.0 release, that could lead to information leaks, RCE (remote code execution) and LCE (local code execution) attacks.

Apache changed Base CVSS severity rating from 3.7 to 9.0

https://logging.apache.org/log4j/2.x/security.html

Question: Add CVE-2021-45046 to Log4Shell article OR new article for CVE-2021-45046? Luamssuk (talk) 11:47, 17 December 2021 (UTC)
 * Unless the press/researchers start reporting about this vulnerability as substantially distinct from the first, I think keeping it as a redirect is fine. But highlighting the severity is definitely a good idea, since many people thought upgrading to 2.16.0 wasn't a must. Cheers, Ovinus (talk) 12:10, 17 December 2021 (UTC)

Logo
A logo for the log4shell vulnerability has been added quoting it is "widely used". I have not seen any wide use of such logo, indeed the notion that a vulnerability has a trademarked logo is somewhat preposterous. Removing the logo from this article for now, but happy to discuss if there is evidence of "wide use". pseudonym Jake Brockman talk 08:00, 22 December 2021 (UTC)
 * Vulnerabilities sometimes do get their own logos. Have a look at Heartbleed, for example.  No comment on this one though.  Stephen 23:40, 22 December 2021 (UTC)
 * I've seen the 'logo' around places, but that doesn't justify the "widely used" part in the caption. Though I'm used to seeing it, still I think it should remain. It's quite identifiable imo. After all, it's available with an Apache 2.0 license (from what I could tell from the GitHub repo). ...indeed the notion that a vulnerability has a trademarked logo is somewhat preposterous. It's a joke. You can just put TM on anything if you wanted. SWinxy (talk) 04:22, 23 December 2021 (UTC)
 * At the very least, if this logo is kept it should be explained in the article, especially if it's a joke. And since such an explanation would likely not go in the lead, the logo shouldn't be there either. And now that I think about it a section about a fanmade logo is really not significant compared to the topic as a whole. I'd just exclude it. &horbar;Jochem van Hees (talk) 10:02, 23 December 2021 (UTC)

Usage vs Response & Impact
I kinda fail to see why these are separate sections? Isn't the way a vulnerability gets exploited part of the impact? &horbar;Jochem van Hees (talk) 10:19, 23 December 2021 (UTC)
 * Yes. I think this article would benefit from a rewrite once the dust settles. LondonIP (talk) 02:44, 26 December 2021 (UTC)

Tense
Should the article be in past tense, as it was patched? 2603:6080:A601:9600:5D3B:9394:9FE4:A6B0 (talk) 21:25, 11 August 2022 (UTC)


 * No, software-related articles are usually written in present tense. Besides, I’m pretty sure there are still plenty of servers running a vulnerable version even 10 years from now. NM 21:25, 17 September 2023 (UTC)
 * In addition to present tense, the first sentence says it's a "zero-day" vulnerability. Whether zero-day is interpreted literally or as a fixed phrase, I don't see how Log4Shell can still be a zero-day vulnerability. In addition, Wikipedia guidelines advise against references with relation to the present day, as these are, by their very nature, doomed to become outdated. EditorPerson53 (talk) 00:08, 9 December 2023 (UTC)