Santa Claus Issues YuleLog4J Advisory
- December 24, 2021
- 2386 Unique Views
- < 1 min read
Christmas revelers and elves are urged to patch their fireplaces, as a Remote Combustion Effect (RCE) vulnerability has been discovered in the traditional holiday YuleLog4J. YuleLog4J is one of the most popular holiday celebrations, appearing in approximately 64% of fireplaces and streamed to millions of homes over Netflix and Amazon Prime.
The vulnerability occurs in the Jingle Naming and Directory Interface (JNDI), a utility that enables lookups of holiday cheer from remote sources. Unpatched versions of YuleLog4J can load potentially un-cheerful items such as coal, traditionally reserved as a stocking stuffer. The advisory was managed through coordinated disclosure between the North Pole and the GiftHub Security Research Team.
Additional vulnerabilities have been detected that may impact holiday celebrations. Previous version of YuleLog4J are also at risk of a Denial of Santa (DoS) vulnerability in recursive lookups based when paired with untrusted kindling.
Mitigating Your Risk
Patches to defend the RCE are available in YuleLog4J 2.17.0.
Additional recommendations for a safe holiday are available in the Code of the Elves:
- Treat every day like Christmas.
- There’s room for everyone on the nice list.
- The best way to spread Christmas cheer is singing loud for all to hear.
Don’t Forget to Share This Post!
Erik Costlow was Oracle’s principal product manager for Java 8 and 9, focused on security and performance. His security expertise involves threat modeling, code analysis, and instrumentation of security sensors. He is working to broaden this approach to security with Contrast Security. Before becoming involved in technology, Erik was a circus performer who juggled fire on a three-wheel vertical unicycle.
Comments (1)
Sharron Reed Gavin
3 years agoLOVE IT!!!