My cynical view is that doing AI on the client is the only way they can try to keep selling luxury items (jewelry really) and increasing prices for what are essentially and functionally commodity devices.
It might be that the browser onky downloads deltas to install and that after a certain point, those deltas either can't be computed or are large enough that a new download is better.
I read a lot of negative things about log4j these days, but people forget how great log4j was compared to whatever the JDK provided us with. It served a useful purpose for most developers, and inspired many libraries in other languages.
This change is included in tag jdk8-b01, which was the first release build of Java 8.
I don't think this exploit as described actually works against a default-configured JVM released any time in the last decade. Is there actually an executable PoC which shows otherwise?
Now, it's true there are ways to exploit deserialisation without loading code. You need to find a class in the classpath that does something sketchy when deserialised. There has been a lot of work to clean up such things in recent years, but it's possible some still exist. Again, i would like to see a PoC.
> Apparently there had been a prior patch (CVE-2009-1094) for LDAP, but that was completely ineffective for the factory codebase. Therefore, LDAP names would still allow direct remote code execution for some time after the RMI patch. That “oversight” was only addressed later as CVE-2018-3149 in Java 8u191 (see https://bugzilla.redhat.com/show_bug.cgi?id=1639834).
Oracle totally and freely threw away every bit of goodwill that Sun had fostered over the years, when they bought the company. Chunked it in the dumpster out back, didn't care.
The "old" Sun: Encouraged hobbyist use of hardware, put out software under a "free unless you need to pay for support" term, open-sourced Solaris [1], was generous with hardware donations [2] to various organizations, and realized that if a sysadmin liked playing with Sun gear at home, they were more likely to recommend it at work.
The "new" Sun: Oracle flips everyone the bird with both hands, won't even communicate with you unless it's about a paid support contract.
[1] I was lucky to be one of the 250 people picked as the OpenSolaris test/release/publicity team; still have my "xxx of 250" poster print on the wall of my home office.
[2] They gave a Netra T1 and a disk shelf to us to run the Sun-Managers mailing list with, told me to keep a review-unit T1000 to run sunhelp.org on, and sent me a loaded Ultra 10 after a bit of a "misunderstanding". These are just three examples of many, many instances.
[3] http://www.sunhelp.org/letters/
Someone in the know at the time claimed to me that IBMs plan was to keep the hardware and customers, and mitigate anti-trust concerns by spinning off the software to Red Hat.
Given RHs compulsive open sourcing of aquisitions it's one of the great tragedies of the software industry that IBM got cold feet over the concerns that Sun were facing violations of anti-bribery laws.
