The past three weeks have been what some cyber professionals are considering the greatest stress test of systems security of the decade. This crisis is in response to the log4j vulnerability, a vulnerability that has gained unprecedented coverage in mainstream media and in public discourse. This exploit will have implications reaching across every industry, and every machine using Java. However, log4j is only one of the many Remote Code Execution (RCE) vulnerabilities that plague Java.
David Johnson, one of Clear Ridge Defense’s talented Senior Cyber Tool Developers, gave his input into the patching and context of RCE vulnerabilities within Java.
“Many times, in Java, functionality is added with an opt-out requirement to remove or reduce functionality within libraries. This paradigm of Java development should shift from an opt-out to a community acceptance of opt-in functionality and configuration.”
In layman’s terms, vulnerable features are included within your boiler-plate Java suite and must be manually opted-out out of. David suggests that reducing the “bells and whistles” included in your suite and adding the ability to “opt-in” to features, would increase your ability to manage the security within Java.
We want to hear your input on RCE response and management! Please comment your thoughts below!
Concerned about potential vulnerabilities within your own company’s infrastructure? Contact us to see if your company qualifies for our free initial open-source assessment.
Interested in being part of the team working to resolve issues like this? Join the Clear Ridge Defense team. We hire elite talent from around the country to solve cutting edge problems for our clients.
Additional resources and readings:
Federal Trade Commission’s statement regarding the log4j vulnerability.
Security Magazine’s article on the way forward following log4j.
Presentation from 2016 Blackhat Conference showing JNDI attack vectors.