|
|
|
|
|
|
by rot25
1646 days ago
|
|
|
Vulnerability researcher here. It's really hard for vulnerabilities as simple as this one to stay under wraps. When the patch went out 9 days ago [1], many vulnerability researchers were able to look at it and identify the root cause within minutes. Exploits started going out over a week ago before the CVE was released. Good security orgs that can hire skilled vulnerability researchers started patching on December 6th/7th/8th. All the chaos started on December 9th when people started leaking the poc on twitter. The same thing happens to google chrome when they release a patch for a security vulnerability. Very skilled researchers can produce a POC and exploit given the patch alone [2] The same thing happens even with embargoes like the one you describe in place. [1] https://github.com/apache/logging-log4j2/commit/d82b47c
[2] https://blog.exodusintel.com/2019/09/09/patch-gapping-chrome... |
|
|