A Brief Note on Log4perl

This article has been indexed from DZone Security Zone

The Java world had an….interesting weekend when security researchers revealed on December 9 a vulnerability in the popular Apache Log4j 2 software library for recording and debugging events. Systems as diverse as Amazon Web Services, Apple iCloud, and the Minecraft video game could be exploited to run arbitrary code on a server merely by sending a specially-crafted string of text. Information technology professionals have been scrambling ever since the initial disclosure to patch, upgrade, reconfigure, or otherwise protect affected servers. It’s bad, and past unpatched vulnerabilities like this have been responsible for the exposure of millions of people’s sensitive data.

Many Perl applications use the similarly-named and ‑designed Log::Log4perl library, and the good news is that, as far as I can tell, the latter doesn’t suffer from the type of vulnerability described above. This doesn’t mean poorly-written or ‑configured Perl-based systems are immune to all exploits, just this particular one. You should be safe to continue using Log4perl unless someone has deliberately configured it otherwise, and in fact, my work uses it extensively.

Read the original article: A Brief Note on Log4perl

Liked it? Take a second to support IT Security News on Patreon!
Become a patron at Patreon!