For my fellow Log4j victims celebrating 4 years #log4shell PTSD: CVE-2025-68161
"The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName configuration attribute or the log4j2.sslVerifyHostName system property is set to true."
https://logging.apache.org/security.html#CVE-2025-68161
(It's not that terrible. Seeing the string "log4j" just makes me twitch. :-)
FYI: Log4Shell: 4 Years Later, Are You Still Vulnerable? #shorts: When the Log4Shell attack hit, teams scrambled. Older Log4j versions needed manual workarounds. What if a bot could try upgrades and run tests? Teams with test suites stay up-to-date, owning their security. #Log4Shell #security #cybersecurity #Dependabot #vulnerability https://www.youtube.com/shorts/IJs6EZgoogk
We haven't seen a CVSS 10.0 this scary since #Log4Shell. ๐จ
So we launched the exploit and here is the proof. ๐๐๐
Everyone talks about detecting #React2Shell (CVE-2025-55182). But detection can only take you so far.
To *truly* know if you are exposed to this CVSS 10.0 RCE, you need to validate it.
So we launched the exploit.
We updated our offensive security suite to safely execute the full attack chain against your infrastructure.
Here is how you validate your risk in seconds (see the evidence below ๐):
๐ Validate directly with Sniper: Auto-Exploiter
Action: Launch Sniper: Auto-Exploiter on the target.
Result: The smoking gun. It executes the payload and confirms RCE.
Proof: As you can see from the report highlights, it achieves code execution as user Next.js and captures full command history.
This isn't a simulation. It's a confirmed RCE path on a Linux target running Next.js.
Why this matters: Standard scanners might flag your safe apps as vulnerable (FPs) or miss modified instances (false negatives). Validation removes the doubt.
Don't guess. Exploit it (safely) before they do.
Run the validation now https://pentest-tools.com/exploit-helpers/sniper
Blind trust in open-source is a security risk โ Log4Shell proved it.
The Log4j vulnerability (CVE-2021-44228) showed how a single open-source component can compromise entire ecosystems.
Many orgs didnโt even know Log4j was buried inside their software โ as a dependency of a dependency.
Key lessons:
SBOM is not optional.
Third-party code needs ownership and monitoring.
Automated attacks start within hours, not days.
Open-source โ safe by default.
To stay resilient:
Maintain full dependency inventories.
Use DevSecOps with automated CVE checks.
Isolate components with least-privilege design.
Treat OSS as part of your supply chain.
Log4Shell wasnโt unique โ just the biggest reminder.
The next one will happen.
Be ready.
#CyberSecurity #Infosec #Log4Shell #OpenSource #SBOM #DevSecOps #SupplyChainSecurity #DataDef
ICYMI: Log4Shell: 4 Years Later, Are You Still Vulnerable? #shorts: When the Log4Shell attack hit, teams scrambled. Older Log4j versions needed manual workarounds. What if a bot could try upgrades and run tests? Teams with test suites stay up-to-date, owning their security. #Log4Shell #security #cybersecurity #Dependabot #vulnerability https://www.youtube.com/shorts/IJs6EZgoogk
#Techflix recommandation: "The Untold Story of Log4j and #Log4Shell | Christian Grobmeier | GitHub" #youtube #log4j #ApacheSoftwareFoundation
Many, many โค๏ธ to @grobmeier it takes a lot of courage to talk about your failures (no one is error prove!)
(I must laught when his kid asked for help playing minecraft during the incident. Turned out, minecraft suffered about log4j as well)
Log4Shell: 4 Years Later, Are You Still Vulnerable? #shorts: When the Log4Shell attack hit, teams scrambled. Older Log4j versions needed manual workarounds. What if a bot could try upgrades and run tests? Teams with test suites stay up-to-date, owning their security. #Log4Shell #security #cybersecurity #Dependabot #vulnerability https://www.youtube.com/shorts/IJs6EZgoogk
GitHub Podcast Episode 41 - From Log4Shell to the Sovereign Tech Fund: Lessons in Open-Source Sustainability
buff.ly/VNda5qM
#podcast #github #log4shell #security #oss #devcommunity
From Log4Shell to the Sovereig...
I never imagined GitHub would ask me to speak about Log4Shell.
But it happened.
GitHub asked me to share the story as I lived it, for the benefit of all maintainers and users of open source. How could I say no?
I hope it helps build a more secure future.
No more Log4Shell.
#opensource #log4j #Log4Shell #programming #security #hacking #Github
JUnit 6 broke 50 repos. Iโm delighted.
If a dependency bump can shatter your stack, you don't need fewer updates. You need better tests.
I maintain 50+ OSS repos as one human. I don't babysit them. I automated everything, including updates and minor releases. Many repos haven't been touched in 6 years. AS now JUnit 6 rolled in, a chunk failed. Perfect.
Why perfect? Because failure is a signal, not a disaster. Good tests mean breakage never escapes. I've had repos fail on a Java date parser change. Beautiful. I saw it before release, fixed it, moved on. During Log4Shell and Spring4Shell I didn't panic. I just waited for the next update. That's what behaviour tests are for. And no, they are not slow. If your tests crawl, your design does too.
I trust code I write. I do not trust magic. I remove convenience glue that silently rots:
I don't need MultiValueMap when Map<List> is clearer.
I don't need StringUtils.isEmpty when a simple null or empty check is obvious.
I don't need annotations that smuggle in half a framework.
Every extra library is a future liability: CVEs, Licences, Security, Data Privacy, Performance, breaking changes, mental overhead. Use them to start, then delete them to last. Fewer moving parts mean fewer ways to die.
After 6 years my micro systems still boot in micro seconds, still read clean, still behave. CI pipelines aged, sure, but the code stayed boring. Boring is freedom. Quiet, peaceful, done.
If your stack cannot auto-update without heart palpitations, the problem isn't updates. It's architecture.
Principles I ship by
Automate updates and everything else I can. Let tests be the gate, not fear.
Push behaviour tests to the edges. If it's slow, refactor until it isn't.
Prefer primitives and standard libs. Delete decorative wrappers.
Design for micro systems, not micro monoliths. Start fast, stay fast.
Fewer tools, fewer surprises, fewer nights on fire.
Congratulations. The system failed safely. After fix, you may proceed to do literally anything else with your life.
#java #junit #testing #oss #automation #developerexperience #simplicity #minimalism #microservices #security #log4shell #spring4shell #cleanarchitecture
#Log4j could have failed many times. But it survived. Not because of money, but because of people. An honest look behind the scenes โ from the first line of code to the projectโs greatest crisis.
Read Christian Grobmeierโs new piece: https://javapro.io/2025/06/10/the-long-history-of-log4j/
After #Log4Shell hit, I dreamed of writing a Java Logging book.
Beginner-friendly and full of what Iโve learned as a trainer.
Today, that dream became real.
@ManningPublications just launched my book in their MEAP program, and Iโm incredibly proud and grateful.
After all these years at the ASF, it feels like a circle has closed.
Get it 50% off:
โWas, wenn wir im Urlaub gewesen wรคren?โ #Log4Shell traf 2021 Millionen Systeme โ ein paar Freiwillige retteten das Netz. Christian Grobmeiers Rรผckblick auf 30 Jahre #Log4j zeigt, was #OpenSource leisten kann & dessen Grenzen, wenn Firmen nur konsumieren!
Millions lost. Servers hijacked. All because of overlooked code patterns, you might still have today. Jonathan Vila reveals the unseen traps. Are you truly protected against SQLi, #Log4Shell & deserialization hacks?
Decode it here: https://javapro.io/2025/04/29/top-security-flaws-injections/
The next ๐๐ผ๐ด๐ฐ๐ฆ๐ต๐ฒ๐น๐น is not a matter of ๐ช๐ง, but ๐ธ๐ฉ๐ฆ๐ฏ. The critical Java libraries we use daily are built mainly by volunteers
๐ช๐ฒ ๐ฐ๐ฎ๐ป'๐ ๐๐ฎ๐ถ๐ ๐ณ๐ผ๐ฟ ๐ฎ๐ป๐ผ๐๐ต๐ฒ๐ฟ ๐ฑ๐ถ๐๐ฎ๐๐๐ฒ๐ฟ!
That's why we're building a new solution: a nonprofit partnership between ๐๐ต๐ฒ ๐ฐ๐ผ๐บ๐ฝ๐ฎ๐ป๐ถ๐ฒ๐ ๐๐๐ถ๐ป๐ด ๐ฐ๐ฟ๐ถ๐๐ถ๐ฐ๐ฎ๐น ๐๐ฎ๐๐ฎ ๐น๐ถ๐ฏ๐ฟ๐ฎ๐ฟ๐ถ๐ฒ๐ and ๐๐ต๐ฒ ๐บ๐ฎ๐ถ๐ป๐๐ฎ๐ถ๐ป๐ฒ๐ฟ๐ (like @pkarwasz of Apache Log4j) who support them.
To build a model that works, we need your input.
Think #Log4Shell was a one-off bug? Think again.. What really caused it? How close was #Log4j to dying โ multiple times? And whatโs next for one of #Javaโs oldest libraries? Christian Grobmeierโs new piece will surprise you.
Dive in: https://javapro.io/2025/06/10/the-long-history-of-log4j/
Hรถrenswerter Podcast "Wild Wild Web - Geschichten aus dem Internet" mit der Episode "Das wichtigste Hobby der Welt" รผber Open Source-Maintainer u. a. mit @foosel und der #Log4Shell Story
https://www.ardaudiothek.de/episode/urn:ard:episode:b15e62d1e3e6823a/
#Log4j begann als EU-Forschungsprojekt in den 90ern. Heute ist es eins der meistgenutzten #Java-Logging-Frameworks & รผberlebte #Log4Shell.
Wie ging das?
Christian Grobmeier ๐ Die Geschichte eines Projekts zwischen #OpenSource, Sicherheit & Verantwortung: https://javapro.io/de/die-lange-geschichte-von-log4j/
โIt won't happen to me.โ That's what #Tesla, #Atlassian & #Fortnite thought. Jonathan Vila walks you through the top hidden flaws still lurking in production code & how to shut the doors before it's too late.
Get smart: https://javapro.io/2025/04/29/top-security-flaws-injections/
