Log4j high-risk bug has been fixed overnight! Maintainer: "In order to achieve backward compatibility, the old function was not deleted and the vulnerability was caused."

Last week, the remote code execution vulnerability exposed by Apache Log4j2 had a significant impact on a global scale.

(Related Reading:
High-risk bug! Apache Log4j2 remote code execution vulnerability: The official is rushing to fix it!
https://segmentfault.com/a/1190000041096729）

The sudden exposure of the vulnerability not only caught the framework maintainers who used Log4j2 by surprise, but also allowed developers to "fix" the problem overnight.

As a PMC member of Apache Software Basic Log Service, Volkan Yazıcı responded to this incident.

On December 11, Volkan tweeted: "Log4j maintainers have been constantly studying mitigation measures to fix bugs, documents, CVEs, query responses, etc. But nothing can stop people from criticizing us because we Is not paid for work because we don’t like this feature, but we need to keep it for backward compatibility reasons."

(Link to the original Twitter: https://twitter.com/yazicivo)

At the same time, Volkan also attached the relevant link of Log4j 2.15.0:
https://logging.apache.org/log4j/2.x/changes-report.html#a2.15.0

And the link to fix the vulnerability:
https://logging.apache.org/log4j/2.x/security.html

According to his description, since the vulnerability was made public, maintainers have been busy fixing the vulnerability and maintaining the corresponding bugs, documents, and CVEs, while responding to other people's queries.

Although these maintenance works are unpaid, they have received many severe criticisms and even accusations from the outside world.

Volkan mentioned that the old feature that caused the vulnerability is actually to be removed (the vulnerability is essentially JNDI injected into Log4j2's search method), but this feature is retained to ensure backward compatibility.

Of course, some people disagree with Volkan's "backward compatibility" principle. He said that if the development team wants to delete the old feature, they don’t hesitate to do what they want to do; but if the users who use the feature think it’s important, they can bear the time, energy and money costs of the project. , And maintain it yourself.

Apache Log4j2 is a Java-based log component, which is widely used in business system development to record log information about program input and output, and is extremely widely used. In most cases, developers will write error messages caused by user input to the log.

As an open source underlying component, Log4j2 has been used by many large Internet companies such as Google, Apple, and Amazon.

As can be seen from the comments on Volkan's Twitter, many people have just learned that these high-value, high-profit companies have not provided any support for this basic component, and even the maintenance personnel are working for free.

Netizens who knew the real situation also gave the maintainers a hug. Someone commented below Volkan's tweet, "Send a hug to the people at Log4J. For them, it must be a very bad Friday."