然後 Cloudflare 的 CEO Matthew Prince 在 Twitter 上有提到從他們家的資料看起來,2021/12/01 就已經有攻擊在外面跑了,這也是之前會說這是 0-day 的原因:
Earliest evidence we’ve found so far of #Log4J exploit is 2021-12-01 04:36:50 UTC. That suggests it was in the wild at least 9 days before publicly disclosed. However, don’t see evidence of mass exploitation until after public disclosure.
Updates (3 hours after posting): According to this blog post (see translation), JDK versions greater than 6u211, 7u201, 8u191, and 11.0.1 are not affected by the LDAP attack vector. In these versions com.sun.jndi.ldap.object.trustURLCodebase is set to false meaning JNDI cannot load remote code using LDAP.
However, there are other attack vectors targeting this vulnerability which can result in RCE. An attacker could still leverage existing code on the server to execute a payload. An attack targeting the class org.apache.naming.factory.BeanFactory, present on Apache Tomcat servers, is discussed in this blog post.
Add a new garbage collection (GC) algorithm named Shenandoah which reduces GC pause times by doing evacuation work concurrently with the running Java threads. Pause times with Shenandoah are independent of heap size, meaning you will have the same consistent pause times whether your heap is 200 MB or 200 GB.
In April 2021, the Supreme Court ruled in a 6–2 decision that Google's use of the Java APIs fell within the four factors of fair use, bypassing the question on the copyrightability of the APIs. The decision reversed the Federal Circuit ruling and remanded the case for further review.
判決全文 PDF 的前面三頁多算是簡介說明這次的重點,Page 44 到 Page 62 則是反對的兩位大法官 (Clarence Thomas 與 Samuel Alito) 所提出的異議,可以看到兩位大法官批評了 copyrightability 與 fair-use analysis 的問題。
Q: What type of issues are detected by Amazon CodeGuru Reviewer?
Amazon CodeGuru Reviewer checks for concurrency issues, potential race conditions, un-sanitized inputs, inappropriate handling of sensitive data such as credentials, resource leaks, and also detects race conditions in concurrent code.
然後 FAQ 裡提到目前只支援 Java:
Amazon CodeGuru Reviewer currently supports Java code stored in GitHub and AWS CodeCommit repositories.
服務的價位是使用行數計算,不過那個 per month 沒看懂是什麼意思:
Code scan (pull requests) $0.75 per 100 lines of code scanned per month
Long-term support (LTS) for Corretto includes performance enhancements and security updates for Corretto 8 until at least June 2023 at no cost. Updates are planned to be released quarterly. Amazon will provide LTS for Corretto 11 with quarterly updates until at least August 2024.
We've released version 2.0.0 of Java Is Still Free (https://t.co/VvAPtBYE1C) - giving you a full and balanced view of the #java and #openjdk choices you have going forwards, including commercial support, $free and free to use - read it today!