Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It’s a process circus. Once something gets raised as a critical IT issue in a large org, it’s not enough to “just fix the problem” or state that you aren’t affected due to network security etc. You have to report about it, which means you likely need a comment from a vendor.

The most humorous thing for me about this entire situation is that the way reporting is handle in many orgs is:

Central IT: Are we vulnerable in system X?

System owner: writes vendor

Vendor: No we are not vulnerable to that CVE, we are using Log4J V1

System owner: … the one that’s eol 2015, and has a bunch of other CVE’s including another RCE?

Vendor: yes

System owner:Are you going to issue an upgrade?

Vendor: No, we are not vulnerable to the latest CVE on V2 so we will not.

System vendor to central IT: They are using log4j V1, so not affected by the latest CVE, but we are vulnerable to other CVEs including RCE.

Central IT: Perfect, we’ll mark it down as no issues then, the Issue handling only covers the latest CVE.



The log4j v1 RCE is (IIRC!) only applicable when you run it in SocketServer mode... which most users don't.

So yes, a dumb scanner will whine, but intelligent users will see it's a false alarm.


One of the exploits in log4jv1 is known about and acts like that. How many aren't known about but have cropped up in the last 6 years and quietly been exploited.


Large orgs make their employees feel like they don't matter, and eventually the feeling is reciprocal. It's insane to expect anyone in a 1000+ person org to go "above and beyond" their fairly regimented and supervised responsibilities.

I'm not advocating for that attitude, it's just what I've observed.


Somewhat gruesome, because this is exactly how a lot of these vulnerabilities are "handled"


Literally happened to me the other day.

Not sure though how I can make a difference when the vendor and manager seem to be buddies and any criticism of the tool falls on death ears.


I'm fighting this battle right now.

Inches from just emailing the list of CVEs to someone way above my paygrade and letting the chips fall.


Talk about the money you'll lose when you get hacked.


That's precisely what happened today at ${dayjob}.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: