Log4J Vulnerability (Log4Shell) Explained - for Java developers
Vložit
- čas přidán 15. 12. 2021
- Learn exactly what the Log4J vulnerability is, including Java code and the attach details. I also share some thoughts on open source in general.
Video explaining Java logging libraries: • Logback vs SLF4J vs Lo...
Join this channel to get access to perks:
/ @java.brains
Log4j 2.17 is out for vulnerabilities discovered in 2.16
Pp
Agree log4j 2.17 is out, but this is what I found in website:
In version 2.12.2 (for Java 7), Log4j disables access to JNDI by default. Usage of JNDI in configuration now needs to be enabled explicitly. Calls to the JndiLookup will now return a constant string. Also, Log4j now limits the protocols by default to only java. The message lookups feature has been completely removed. Lookups in configuration still work.
From version 2.16.0 (for Java 8), the message lookups feature has been completely removed. Lookups in configuration still work. Furthermore, Log4j now disables access to JNDI by default. Users are advised not to enable JNDI in Log4j 2.16.0. If the JMS Appender is required, use Log4j 2.12.2.
Word!
Yeah new patch coming
@@abhishekbs9639 if may server is secure by vpn and other things like vpn , no port access from outside
can still java application can get hacked ??
6:15 So much backward compatibility that even my great grandmother code can work on latest version of jvm 🧐🧐🤣 this line got me 👑👑😆
I was not satisfied with other contents out there. The moment I noticed your video I was sure before watching that now I am going to get 101% correct understanding as usual. Thanks a lot Koushik!
Agree with you brotha. U gotta love Koushik man… he the 🐐
exactly the same here. This video gave me a lot of relief and I immediately subscribed for it.
You have superpower of explaining difficult things in easy words.
Nicely explained that companies don't value for free open source stuff ( that reminds me we don't thank you enough for making such great free content 😊).
Maybe 2nd version of this video would be (we always ask for more 😊).
1. Live example showing same vulnerability in action.
2. How exactly this issue is fixed. i.e. before and after comparison.
Hi Koushik, could you share which microphone and recording software do you use for recording?
Explained well. I like the "Support model" you were talking about.
Always comeback to learn from your tutorials from my early college days (around 2013-14). Kaushik you are really a great teacher who can convey the knowledge in simplified manner. Your view on Private companies donating money to these opensource project is spot on, but there is chances of these companies controlling the whole project and projecting their own agenda into it, so yes it would be great if we can support such projects financially but it's tricky one. Also I'm thankful for people like you who provide such a quality stuff, I have nothing but deep gratitude and I'm planning to become member of your channel to support what you're doing, keep doing this we need more people like you :)
AS usual, the best teacher out there, thanks Koushik!
I saw other videos on the same, but no one explained it better than you. Thanks a ton.. !!
The only video on youtube with such comprehensiveness about this vulnerability. This is what makes Java Brains stand apart from other tech channels. Thanks Koushik !
Good technical explanation. Relevant facts around it and at last thought provoking discussion. This was really worth the time. please make a video on how to contribute to open source. please use any open source project as example . Thanks a lot again
More than the knowledge on this topic, I am overwhelmed by your thought towards people contributing for open source tools/apps. Your thoughts towards open source community is SO PURE. KUDOS!!! It's not always MONEY that matters, by the way. People like you having such noble intent towards society and community. KEEP THIS SPIRIT ON!!! Thanks
Just like open source we have "stack overflow" people don't realize the efforts and time people devote to help this community to keep going, be its open source or helping some developer out, we must respect and do what ever we can in order to get things going.
The last part of the video regarding supporting open source software is really thoughtful. Thank you.
Came for the vulnerabilty ,
Left with a beautiful message .
Thank you .
Thank you for explaining this. Especially the thought about many companies making money out of using open-source libraries but not giving back to the open-source volunteers.
Dude, that is hands-down the most informative, entertaining, and accurate description of the log4j vulnerability that I've enjoyed. Thanks!
The way you ended the video with that thought provoking message is awesome
Thank you for explaining this simple. Great content as always
And it took these many years to know the existence of this vulnerability!!!
Hats off!!
I was watching this in Incognito mode but this explaination is so awesome that I had to come here to like it and comment on it. Awesome stuff. Thanks for all this effort.
Very clear explanation as always. Your words does not only make us understand stuff but also allow us to think forward which is important.
You explained it in a concise and subtle manner. Thanks!
Kaushik your words are ultimate..you got to be the professor for all java developers as like in money heist serial.!
Great Explanation, loved every part of it. Waiting for next video on this topic explaining what they did to resolve this vulnerability in the latest patch!
Your narration is really good. After going through the video i can understand the severity of this attach.
Also your corporate support approach is interesting, hoping all big companies will share there CSR to these kind of projects
This was the best explanation of the weakness that I've found. Thank you. The bad news is that even if a large investment is made in open source today, it will take time to find and fix similar issues. The bad guys will be looking to not only exploit this issue, but be searching for similar ones and this creates a race condition in which they likely have a head start.
One of the greatest explanations of this vulnerability
Sir, whenever I see a video suggestion having you I realize that if I view it then my day is going to be useful. I have been following you since 8 years and have learnt most of the stuff from you if not all. You have literally made my career and I find your depth amazing and try to strive towards it. :)
Thanks for the great explanation of Log4J. I never really fully understood what it was till I watched this video. Thanks for taking the time to post it.
Got the clear picture about the vulnerability after watching your video. Thank you.
Loved the last thoughtful arguments and questions in the end!! Great work!
Super easy and complete explanation of Log4j. I also support your view on open source, with adversaries on the lookout, from security perspective, it is definitely recommended to avoid open source where you can. You are exposed when the code is exposed.
That explains the problem very well rather than any other places I have seen. Thank you very much. And a very good point to be taken into thought at the end of your video. Big companies are making money out of open source projects and basically those open source projects contributed to the income they have made. Open source projects never mandates to pay them back if someone using their projects and making money out of it but those companies should have a self responsibility to contribute/fund back in the open source projects. Because there are number of people who are working to improve without getting paid a penny. Hats off for them. So the companies who never did their part, cannot blame at open source projects.
Your channel has been a single source of truth for all things Java for me for a very long time now. Thank you for the explanation.
Your make a brilliant point. Often see huge companies tap into open source and brag about it, but forgetting to support the people actually doing it financially.
Very true and these same companies often spend fortunes for mocrosoft and orakle product lockins and endless forced migrations.
I was excited throughout the video just like him. The big companies took log4j and its security for granted. Not just 2020, even 2021 will be remembered in history.
One of the best explanations! Straight to the points.
Thank you very much for this comprehensive explanation. The last point is really interesting to think of. I never had this thought about open source projects and you changed my view on it.
Thanks a lot for sharing the great and most useful information. I'm sure this is gonna be asked in interviews.
Crisp and clear explanation ending with some thought provoking questions. 👏
Excellent video, as always. Especially, the ending message. Kudos to Koushik. 👍
So far one of the best explanations I've heard about this issue. Great job. "When was it really exploited?" Yes, great question...
The best explanation about Log4J Vulnerability, Thank you for explaining fully
Really appreciate your time making this video. Thank you!
I have been watching for this vulnerability and no one explains it that well on CZcams. I think this video explained it very clearly and very good resource for tech people to get some understanding of this vulnerability.
I love your way to talking and explaining things, keep this knowledge coming. many thanks
Thanks for clearly explaining the problem and the solutions available to a non-dev. I agree that open-source users should contribute back.
your last message really touch me, it really rise a question on how we support open source. also stay strong for all java programmers out there, it's been a hard time especially near year end holidays
A big thank you. Kaushik for explaining issues bothering our teams.
Thank you kaushik for that 9:30 explaination. Finally understood what that expression was being used.
Tech part is very well explained - no doubts in it. There is the touchy note for the moral responsibility. Very well expressed as well. The businesses that aspire and build themselves on these open source tools are often making huge profits but fail to recognize these underpinning elements that made things possible. So yes, a kudos to you for bringing this up.
The most epic explanation !! thank you, as a fellow Java dev, this is one of my fav Java channels
This is by far the best Log4J vulnerability explanation on the internet
This is where DevSecOps comes in. Secured by design and by default. good informative video.
Your explanation was compelling and precise. Short and very informative. Thanks for that. Well down, good job !!!
Exactly what I was looking for to understand the issue! Good stuff!
This is the first time I see a video for you.... you are amazing... keep it this way.... You are really amazing... Bravo!
This is an impeccable video! Kudos, Koushik!
Thank you so much for your explanation, I have red lots of articles to understand this Vulnerability but it was not absorbed till i saw this video
I am impressed by the level of detail you put here. Thank you for sharing this. The amount of detail is awesome.
Exquisitely explained - thank you!! You just got another subscriber!
Amazing delivery with rich content. Love it! Thanks a lot.
Finally someone whose explanation helped me !!
Brilliant explanation. Thanks and though you said you are not a security expert, many of them on TV can hardly clarify it this way. The profit making companies will not spend to invest in open source. But stash their money in safe havens.
Most useful explanation I've seen. Thanks!
All things were explained well and with satisfaction.
Well Koushik, I love your last statement and idea. Organizations should pay to open source communities.
Great stuff..👏
This is the best video I have seen this year in CZcams..
Thanks for explaining this in a simple and easy manner!
Wonderful video Kaushik! Unparalleled quality content!
Excellent explanation. I particularly liked the ending note (thoughts).
Thanks for this video Koushik. You are an amazing tutor
I am watching this almost more than a year after this was released (yup, I'm not a techie/tech geek), and I have watched quite a few videos trying to understand this issue (esp. for non-techies), and this is one of the best videos explaining this issue!! And this is coming from a non-technie! Kudos!
I’m a total layman on this and am just informing myself so that I understand what is happening with my work’s response to the vulnerability. Your content is so clear yet detailed. Absolutely fantastic.
Thanks for this interesting video. I did a lot of Java work about 10 years ago (now retired). I did use Log4J when I needed to find particularly difficult bugs that only surfaced in the production environment. Usually there would be some screwy set of data that was unforseen during the QA process. So I would create a special release and then log the heck out of everything. I never liked logging in the production environment because it was a hit on performance. So if I had logging code in there I would turn it off somehow. I don't think Java has the #ifdef feature to remove sections of code from final compilation as C++ does. So I don't recall exactly how I did it. Anyway, that is another possible solution in addition to the ones you mentioned.
Great content!! Loved it. First video I see in your channel and I can say right now you got a new subscriber!
Really excellent content and you explained with great examples. Also sparks lot of thoughts. I have gone through few videos regarding this, but I found very best and excellent, and got very good realtime insight about this.
Excellent Job.
Good technical explanation. I myself as a budding developer have not gotten into logging (actually this whole vulnerability stuff has just made me more curious about it so down that rabbit hole I go lol) as of yet but once you brought things into context of SQL IAs I understood much better the implications. Thanks for the video.
As a second year CS major, thank you, great video.
Excellent explanation with real time example.
easily the best video i've seen on this topic!
Hi Koushik, you are always easy to understand. Thanks for sharing this. Opensource runs the entire world of technology and internet. Its high time for big companies earning billions and millions ,give it back to community. Hope to see have morale support for opensource volunteers and some business model to preserve this wonderful world of opensource.
Thanks so Much, one of the best explanations of the vulnerability.
Excellent explanation, my team of pen testers have been ensuring our systems are patched, this is by far one of the best examples, I will be doing a walkthrough of Log4j in a week in our channel to help our student base. Keep up the great work
This is the only channel I would press the JOIN button for.
I must say I am tempted to enroll for your training if that is available. I have been reading about this Log4j for a week without getting facts clearly. Enter this video, I get all the facts in 20 minutes or less. Your explanation is just amazing. Keep it up for good job and sharing. Merry Xmas.
Thanks for the detailed information. Yes, we need to take initiative Support model, that you explain sir. We means as all developers.
Very thankful to you kaushik, you're helping us with learing a lot. God bless you. and I'm going to become a member of the channel now.
I was thinking to kindly ask you a video on this, and you did it. Thanks!
Kaushik bro , u make things so easy and interesting, video madiddakke dhanyavadagalu
Amazingly explained!! Thanks for the contents and the thoughts
As always this is the best explanation and good thoughts on open source
Best content by best mentor. Thanks a lot
You are really a reliable source of education/reference in Java world by addressing current/trending issues with a great explanation video. Much appreciated & thanks for your great works. 🙏🏻
Nicely explained with simple words. keep up the good work sir
As always your great explanation of such a critical issue in simple word .thanks so much ..
Wow, well explained all the parts in the video. Thanks.
Threw a like for your great grandmother being a long time Java coder.
I was really waiting for your video about this vulnerability issue. Thanks lot 😊
Well done! Very clear explanation of this problem. Thanks!
Thank you. Your explanation was compelling and precise