[specialist]

Tangent:

Wasn't Java's SecurityManager stuff supposed to prevent these kinds of exploits?

I haven't used log4j for ages, so I didn't know offhand. Somewhat curious, I gleened that none of the enterprisey stacks use SecurityManager. I guess I kinda understand; SecurityManager was fashioned and pitched for an ecosystem of applets, agents, and sandboxes.

Further, I then gleened there's a JSR to outright remove SecurityManager. With no apparent replacement, just some vague advice to roll your own capabilities based system.

So, however we got here, what's then plan? Run JVMs on top of something like OpenBSD's pledge?