[x3d-public] Log4j and what it means for encodings
John Carlson
yottzumm at gmail.com
Tue Dec 14 20:44:27 PST 2021
Now it seems like a log4j formatting problem with versions prior to 2.15.0.
There are other unpatched vulnerabilities in log4j v1
Next time, I’ll do more research, but continue to monitor your parsers and
validators for stack overflow conditions due to deeply nested nodes.
On Sat, Dec 11, 2021 at 3:37 PM John Carlson <yottzumm at gmail.com> wrote:
> Apparently there is a denial of service attack happening on
> log4j/struts/soap. Imagine your X3D xml/json/VRML having millions of
> nested Groups and transforms. How can we defend ourselves, and what
> limits can we set in place? I do know tail recursion can help, but I’m not
> sure what happens when there are too many stack frames to open.
>
> I know the standard talks about limits on these things, but is there a
> limit of depth of nested nodes in the standard? I will do some googling.
>
> Sent from my iPad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-public_web3d.org/attachments/20211214/32cb6155/attachment.html>
More information about the x3d-public
mailing list