Yes, it's like a format string bug in C in that sense. Most people don't take "l... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

xyzzy123 on Dec 10, 2021 | parent | context | favorite | on: Log4j RCE Found

Yes, it's like a format string bug in C in that sense.

Most people don't take "log injection" that seriously as a bug class in Java. There are usually no consequences for ignoring it, so it's common. The RCE adds a lot of flavour to an otherwise bland bug.

xyzzy123 on Dec 10, 2021 [–]

NOTE: I WAS WRONG, AS DISCUSSED UPTHREAD. IT IS EXPLOITABLE EVEN IF YOU USE FORMAT STRINGS CORRECTLY.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact