The unthinkable is happening in Europe. The corrupt and despotic Russian regime is waging an all-out war on its peaceful neighbor that has dared to cross Putin’s red line – i.e. decided to walk the path of democracy and self-determination. Our democratic world is “deeply concerned” and “stands strong in symbolic support”. Social networks and public proclamations are full of hearts & minds & prayers for Ukraine, full of denouncing the aggressor. Nice but shamefully not enough. Frankly, the action that we have taken so far is close to a farce. Time for words is over, time for action of every single I is now.
1. To my friends and colleagues in civilized democratic world
We need to stop asking “What can be done to help?”, “What will EU, NATO, Biden, Germany…do?”. Instead we need to introspect and ask “What am I going to do?”. I am providing our family estate to accommodate refugee families whose fathers and brothers are fighting on the front-line (contact me if you know fleeing families in need). I am pushing my government to support the most most aggressive and painful angle towards Kremlin. I am sending relief money to support the Ukraine cause via Člověk v tísni. I am writing this article in hope the I-attitude would go exponential. What are you going to do?
2. To brave Ukrainian people defending their families, homes and lives
You have my admiration and my gratitude. You are standing proud, you are fighting my battle and I will do everything I can to help you my end.
3. To invading Russian soldiers
You are lied to and abused. You know all too well you are not attacking Nazis and you are not freeing enslaved people from oppressors. I understand you are under oath and command. Still, you are free human beings accountable for your actions. Although in the wrong, please be heroes by staying human. Please bear that in mind next time you are loading a mortar shell, next time you are about to fire a rocket next to a kindergarten, next time you are about to shoot a man, probably a father who stands his ground to protect his family’s freedom and lives.
4. Lastly but most importantly, to all free-thinking Russians
I know this is not your war. I have received word from a lot of my Russian friends and I am happy to say you all stand united on a single position - you are ashamed and furious. The corrupt and aggressive regime that has been suffocating your nation for many years is holding you hostage in this senseless bloodshed. But as everywhere else in the world, change that is to stay needs to come from within, not without. Now is your big chance to make impact that lasts for generations. As we did more than 30 years ago in Czechoslovakia, now is your chance to stand up and ask: "Who, if not us?! When, if not now?!"
TL/DR > Spring Boot has got your back yet again. The way we @ DTF along with vast majority of the world is using Spring Boot, it is safe against log4j2 vulnerabilities CVE-2021-44228, CVE-2021-45046 and CVE-2021-45105 (updating this list as they come). That being said, although Spring Boot gives you rock-solid fundamentals and defaults, it is also flexible and gives you an option to eventually switch to vulnerable versions of log4j2, details bellow.
The log4j-to-slf4j and log4j-api jars that are included in spring-boot-starter-logging cannot be exploited on their own. Only applications that would override this by switching the default logging system to log4j2 and are using log4j-core and including user input in log messages are vulnerable. Spring Boot team has responded with this article and it is being updated as more info, CVEs and mitigation plans are coming in.
You can sleep well (while still being vigilant) if you’re following these simple rules as we do:
Be on supported versions of frameworks you are using (Spring Boot 2.5.x and 2.6.x at time of writing this article)
Use CVE-checking tools in your CI/CD (like OWASP dependency-check that we are using in test stage of our GitLab pipelines)
As a late Christmas present, we have discovered that the guys at Haulmont are intending to push our favorite Spring-based open-source Rapid Application Development framework called Cuba into new heights by re-branding it to Jmix (not important) plus making bunch of architectural decisions in right direction (very important).
We have delivered some powerful business apps to our clients utilizing Cuba and thus have also experienced its shortcomings that we had to eventually overcome. Hence we are extremely thrilled about the intention to have less framework redundancy with Spring and getting closer to vanilla Spring Boot. We are also very happy about seeing proper migration approach with adopting Liquibase as we had to write our own migrations for previous versions of Cuba. There’s a bunch of good stuff announced but I will refrain from elaborating further to honor the no-needless-redundancy principle, feel free to dig in here.
We will keep an eye on releases for you and let you know about our hands-on experience with Jmix as soon as we deliver a project on it. Stay tuned.
After years of having a super-geeky, no-content website and being proud of it, we have finally decided it’s time to move on. For the sake of storing this pinnacle of creativity in 2017 web design for future generations, here it is. It comes in two flavours generated by our state-of-the-art AI machine to suit the visitors profile: