Foojay Today

Santa Claus Issues YuleLog4J Advisory

December 24, 2021

Christmas revelers and elves are urged to patch their fireplaces, as a Remote Combustion Effect (RCE) vulnerability has been discovered in the traditional holiday YuleLog4J. YuleLog4J is one of the most popular holiday celebrations, appearing in approximately 64% of fireplaces and streamed to millions of homes over Netflix and Amazon Prime.

The vulnerability occurs in the Jingle Naming and Directory Interface (JNDI), a utility that enables lookups of holiday cheer from remote sources. Unpatched versions of YuleLog4J can load potentially un-cheerful items such as coal, traditionally reserved as a stocking stuffer. The advisory was managed through coordinated disclosure between the North Pole and the GiftHub Security Research Team.

Additional vulnerabilities have been detected that may impact holiday celebrations. Previous version of YuleLog4J are also at risk of a Denial of Santa (DoS) vulnerability in recursive lookups based when paired with untrusted kindling.

Mitigating Your Risk

Patches to defend the RCE are available in YuleLog4J 2.17.0.

Additional recommendations for a safe holiday are available in the Code of the Elves:

  1. Treat every day like Christmas.
  2. There’s room for everyone on the nice list.
  3. The best way to spread Christmas cheer is singing loud for all to hear.

Related Articles

View All
  • Java: Where the Wild Code Isn’t

    In the last several years, the OpenJDK community has made Java significantly safer for users and developers while at the same time making it easier to design, build, and run applications quickly.

    Java users should incorporate several practices to take full benefit from the defenses of the modern JRE.

    Read More
    Avatar photo
    Oct 17, 2021
  • Light Up your Christmas Tree with Java and Raspberry Pi

    Are you a serious Java-developer looking for a fun project?

    Or want to learn something completely new and use your Java-knowledge to control electronic components?

    Here we go with this small project to get you introduced to the world of electronics programming!

    Read More
    Avatar photo
    Dec 23, 2020
  • Creating a JavaFX World Clock from Scratch (Part 1)

    Welcome to Creating a JavaFX World Clock from Scratch (Part 1)! In this series of blog entries I would like to show you how I created a “sci-fi” looking world clock that happens to be a cross-platform Java desktop application.

    Here I will explain my thought process, development workflow, and of course JavaFX code details. Since it’s still in the early stages, you can tune in by commenting or joining foojay’s Slack channel at [2], where I and others (Java experts & friends of OpenJDK/OpenJFX) can offer advice.

    Read More
    Dec 14, 2020


  • Avatar photo
    Erik Costlow

    Erik Costlow was Oracle’s principal product manager for Java 8 and 9, focused on security and performance. His security expertise involves threat modeling, code analysis, and instrumentation of security sensors. ... Learn more

Comments (1)

Your email address will not be published.

Highlight your code snippets using [code lang="language name"] shortcode. Just insert your code between opening and closing tag: [code lang="java"] code [/code]. Or specify another language.

Save my name, email, and website in this browser for the next time I comment.

Sharron Reed Gavin


Subscribe to foojay updates:
Copied to the clipboard