@seb I think the number one thing that would have helped us is a *proper* software inventory: vendors, versions, dependencies, libraries, etc, so we could have more easily targeted our efforts.
facetious answer: use c#. interestingly i wonder if the log4net library is similarly compromised.
better answer: there are some great resources out there that detail how to exploit, detect, patch & test: https://motasem-notes.net/the-log4j-vulnerability-explained/
the link i sent before explains how nmap and burp can be used to scan for susceptible jars.
perhaps companies will now begin thinking about baking pentesting into the CI/CD pipeline as opposed to an annual pentest audit.
@seb [only partly joking] rewrite it all in Rust-lang, (they have relatively low cases of smugness, despite having all of the "we told you so" high ground.)
INDICATORS OF COMPROMISE (IOC)
InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.
We have a Getting Started Guide here: https://ioc.wiki/mastodon
HAVE FUN and STAY SAFE!