When your logging framework starts to execute arbitrary code, you know you’re in trouble.
Log4j, the popular Java framework, contained a vulnerability that compromised many apps you might have been using, including Twitter, iCloud, or Steam. The list is much shorter than it could have been. Log4j is likely present in “almost all” major Java-based enterprise apps, and servers. Not even the NSA was safe, as the popular GHIDRA, was vulnerable as a result as well.
According to GreyNoise, a company that analyzes “Internet background noise”, there are around 100 hosts actively scanning for servers with the aforementioned vulnerability.
To check whether your server got scanned, you may verify your visitors by checking this GitHub gist. These IPs, however, are IPs of Tor exit nodes; therefore it will be getting longer.
Luckily, the way to patch the vulnerability is simple. As Cloudflare explained it:
1. Upgrade to Log4j v2.15.0
2. If you are using Log4j v2.10 or above, and cannot upgrade, then set the property:
log4j2.formatMsgNoLookups=true
Additionally, an environment variable can be set for these same affected versions:
LOG4J_FORMAT_MSG_NO_LOOKUPS=true
3. Or remove the JndiLookup class from the classpath. For example, you can run a command like
zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
to remove the class from the log4j-core.
React is a bit of a “you have to do everything yourself” UI library. Without explicit optimizations, such as memoization, it performs rather poorly, unnecessarily running a lot of code over, and over. Having to keep in mind this, and some other React-specific optimizations, can be a bit of a pickle.
Engineers at Meta seemed to have noticed that, and have showcased a tool to make React perform much better without all the mental overhead for developers. The solution is an automatic compiler, that performs memoization for you, automatically. For a demo, watch the video below.
If you ever push a commit with your private key to a public GitHub repository, believe it or not, this is not the worst thing that can happen. Line leaked payments data regarding 133,000 users to GitHub. The leaked data contained details of participants in a “LINE Pay” promotional program: date, time, and user IDs. Even though no cred card or bank account details saw the light of day, they could have been “traced with a little effort.”
The leak happened between September and November 2021; however, the news about it only surfaced last week. The company promised to do better in the future.
Tailwind CSS, one of the web developers’ favorite tool for creating beautiful UI components, is getting a new major release. There are some improvements both making the developers’ lives easier, with some new features bringing new capabilities on board.
For the full list of features in the new release, take a look at the documentation.
.svg){kind=small}
