Hacker News new | ask | show | jobs
by jfoutz 1636 days ago
yes that would be true. Unfortunately log4j doesn't get configuration exclusively from config files on the server where it's running. this doesn't look like no access to full RCE like the first few rounds. But this might let an attacker turn a small exploit into a big exploit.
1 comments
btown 1636 days ago
I suppose that there could be companies that load logging configs from a shared filesystem share that the non-security-minded now-retired ex-IT director threw up on an insecure server somewhere "so I can debug the outages better." Still not as bad as the log content being an attack vector!
link
hinkley 1636 days ago
> ex-IT director

If only that were true. At least we could bond over what an idiot 'that guy' was.

But he probably is friends with the CEO so we can't say shit.

link
btown 1636 days ago
old IT directors never die, they simply fade away, much like the sanity of everyone left
link