Log4j’s Log4Shell Vulnerability: One Year Later, It’s Still Lurking

Apache had to scramble at the beginning of December 2021 to be ready to release patches for Log4Shell when it publicly disclosed the situation on December 9 of last year. As a result, researchers quickly found edge cases and workarounds to the patches, and Apache was forced to release multiple iterations, which added to the confusion. 

“This thing was everywhere, truly everywhere,” says Jonathan Leitschuh, an open source security researcher. “Attackers were jumping on it, the security community was jumping on it, payloads were flying everywhere.”

Researchers say, though, that Apache’s overall response was solid. Nalley adds that Apache has made changes and improvements in reaction to the Log4Shell saga and hired dedicated staff to expand the security support it can offer to open-source projects to catch bugs before they ship in code and respond to incidents when necessary.

“In a short period of time, two weeks, we had fixes out, which is great,” Nalley says. “In some ways, this is not a new situation to us, and I would love to say we dealt with it perfectly. But the reality is, even at the Apache Software Foundation, this highlighted what a responsibility we have to everyone who consumes our software.” 

Going forward, the more concerning aspect of the situation is that, even a year later, roughly a quarter or more of the Log4j downloads from the Apache repository Maven Central and other repository servers are still full of vulnerable versions of Log4j. In other words, software developers are still actively maintaining systems running vulnerable versions of the utility or even building new software that is vulnerable.

“The reality is that the majority of the time when people are choosing a vulnerable open-source software component, there’s already a fix available,” says Brian Fox, cofounder and chief technology officer of the software supply-chain firm Sonatype, which operates Maven Central and is also a third-party Apache repository provider. “I’ve been around for a long time, and I’m jaded, but that really is shocking. And the only explanation is that people really do not understand what’s inside their software.”

Fox says that after the initial scramble to address Log4Shell, version downloads in Maven Central and other repositories hit a shelf where roughly 60 percent of the downloads were of patched versions and 40 percent were still of vulnerable versions. Over the last three months or so, Fox and Apache’s Nalley say they’ve seen the numbers fall for the first time to roughly a 75/25 percent split. As Fox puts it, though, “After a year, a quarter of the downloads is still pretty terrible.”

“Some people feel Log4j was a big wake-up to the industry, a collective freak-out and awakening,” he says. “And it has helped us really expand upon the message about software supply-chain security, because no longer were people in denial. The thing we were all talking about was real now’ we were all living it. But the peer pressure alone of Log4j should have forced everyone to upgrade, so if we can’t get this one to 100 percent, what about all the other ones?”

For security researchers, the question of how to address the long tail of a vulnerability is always present. And the issue applies not just to open-source software, but proprietary systems as well. Just think about how many years it took to move the last 10 percent of Windows users off of XP.

“With these worst-case scenarios—black swan events in open source—you just know they’re going to keep happening, because the community has gotten a lot better at reacting, but the pace of open-source development is even faster,” ChainGuard’s Lorenc says. “So we have to find the balance of prevention and mitigation, and keep coming up with efforts to reduce the frequency as much as possible. It’s like The Simpsons meme when Bart says, ‘This is the worst day of my life.’ And Homer says no, ‘The worst day of your life so far.’”

#Log4js #Log4Shell #Vulnerability #Year #Lurking


Related Posts

What Is Carbon Capture? With Gizmodo’s Molly Taft | Techmodo

Read more… #Carbon #Capture #Gizmodos #Molly #Taft #Techmodo

Apple MacBook Pro (16-Inch, 2023) Review: Great Gets Greater

When you need power from your laptop, it’s smart to plug in the charger to eke out as much performance as possible. However, Apple’s first M1-powered MacBook…

Wordle today: Here’s the answer, hints for January 27

You made it! It’s Friday, it’s Wordle time, and that means we’re here to help, as always. The bottom of this article features January 27’s Wordle solution….

Top tech news for Thursday, January 26, 2023

Green light. Besides Elon Musk, other businesses also have quarterly reports. Today that list includes Intel later this afternoon, and Comcast, which said it shed 440,000 TV…

Jumia’s investors rethink their stakes — for better and worse • TechCrunch

Baillie Gifford, the Edinburgh-based asset management firm long known to have a penchant for pre-IPO tech companies, has reduced its shares in African e-commerce giant Jumia, per…

Dungeons & Dragons Has Burned Up All the Goodwill

Image: Wizards of the Coast As fans of tabletop roleplaying games debate over what to do about Wizards of the Coast’s new draft of the Open Gaming…

Leave a Reply

Your email address will not be published. Required fields are marked *