What Log4Shell teaches us about open source security

Hear from CIOs, CTOs, and other C-level and senior execs on data and AI strategies at the Future of Work Summit this January 12, 2022. Learn more


A serious security vulnerability is discovered in a piece of open-source software — widely used behind the scenes on the internet but little known to the average person — that can give attackers access to a treasure trove of sensitive data.

The incident exposes how a vulnerability in a seemingly simple bit of infrastructure code can threaten the security of banks, tech companies, governments, and pretty much any other kind of organization.

Companies race to fix the problem but fear it will plague the internet for years.

Sounds like Log4Shell, the previously unknown flaw in a ubiquitous and free program that has been freaking out experts since it came to light last week, right? Yes, but it also describes an eerily similar episode from 2014. Remember Heartbleed?

Heartbleed was a bug in OpenSSL, the most popular open-source code library for executing the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols used in encrypting websites and software.

The flaw, which allowed hackers to trick a vulnerable web server into sending them encryption keys and other confidential information, was linked to several attacks, including one on a large U.S. hospital operator that resulted in the theft of 4.5 million healthcare records. Researchers at Google and software company Codemonicon independently discovered the vulnerability and reported it in April 2014.

After Heartbleed came to light, the world wondered how malicious actors were able to compromise a piece of software so essential to the internet’s secure operation. To many, the incident also raised questions about the security of all open-source software.

Fast forward to December 2021 and those same questions are surfacing.

Like OpenSSL, Log4j — the Java program compromised by the Log4Shell bug — is a widely used, multi-platform open-source library. Developed and maintained under the auspices of the all-volunteer Apache Software Foundation, Log4j is deployed on servers to record users’ activities so they can be analyzed later by security or development teams.

Hackers could use the flaw to access sensitive information on a variety of devices, plant ransomware attacks, and take over machines to mine crypto currencies. The vulnerability was discovered almost by happenstance, when Microsoft announced it had found suspicious activity in Minecraft: Java Edition, a popular video game it owns.

Jen Easterly, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said, “To be clear, this vulnerability poses a severe risk… We urge all organizations to join us in this essential effort and take action.”

As with Heartbleed, Log4Shell illustrates how the prevalence of open-source software in enterprises around the world — programs like OpenSSL and Log4j and the multitude of code that depends on them in modern software development — has increasingly made it a favorite attack target.

Nearly every organization now uses some amount of open source, thanks to benefits such as lower cost compared with proprietary software and flexibility in a world increasingly dominated by cloud computing. Open source isn’t going away anytime soon — just the opposite — and hackers know this.

As for what Log4Shell says about open-source security, I think it raises more questions than it answers. I generally agree that open-source software has security advantages because of the many watchful eyes behind it — all those contributors worldwide who are committed to a program’s quality and security. But a few questions are fair to ask:

Who is minding the gates when it comes to securing foundational programs like Log4j? The Apache Foundation says it has more than 8,000 committers collaborating on 350 projects and initiatives, but how many are engaged to keep an eye on an older, perhaps “boring” one such as Log4j?

Should large deep-pocketed companies besides Google, which always seems to be heavily involved in such matters, be doing more to support the cause with people and resources?

And, finally, why does it always seem to take the disclosure of a vulnerability in an open-source program before the world realizes how critical that program is? Is the industry doing enough to recognize what those software packages are and prioritizing their security?

Log4Shell, like Heartbleed before it, demonstrates that, if nothing else, these questions should be asked and answered.

Justin Dorfman is open source program manager at cybersecurity company Reblaze.

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member