Hacker News new | past | comments | ask | show | jobs | submit login

>Java it's a pest fest for exploits.

Sure, if you haven't used it since the nineties and pay zero attention to new development.




I’ve only used Java in the last ten years. I helped deal with the log4j incident at a few companies. We specifically had to patch systems that were running newer versions of Java and older versions of Spring. The exploit relied on a new method of adding code to the JVM at runtime that newer versions of Spring had locked down to prevent people from using.

I’ve never seen an explanation for why this mechanism was added or what it was supposed to enable — besides enabling new exploits.

Every time I’ve seen Java used for a safety critical application the justification has been entirely based on the fact that it has cryptographic libraries that are widely certified for safety by enterprises. The security people on our side were… resigned.


The fact that everyone in these comments points at the one major incident in years is more telling than anything else.


Right, there haven't been crazy Java exploits going around the past few months, only Rust and Go!


Log4j affair was last year. Kinda funny how HN still bitch about node dependencies and how Java's are more mature.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: