Press "Enter" to skip to content

Let’s talk Log4Shell, which hit over the weekend, and the supply chain question it exposes

The headline today is the announcement of vulnerabilities in the Apache Log4j Java-based logging platform, which is used to access web servers and application logs.   Nicknamed Log4Shell, there are active exploits in the wild of malware.    With a severity score of 10 out of 10, the open-source Apache Software Foundation developed the library and is a critical Java-logging framework.    Both patches and mitigation techniques are available. 

Any device exposed to the internet is at risk if it’s running Apache Log4J, versions 2.0 to 2.14.1. NCSC notes that Log4j version 2 (Log4j2), the affected version, is included in Apache Struts2, Solr, Druid, Flink, and Swift frameworks.  

With the basics out of the way, let’s focus on some of the other business-related details of the exploit. 

ITnews reports how the maintainers of the Java Log4js project had only three sponsors, despite the software being a crucial part of large companies’ commercial products and enterprise applications.  They are now reporting 58 mostly individual sponsors for the project, despite usage from companies like Apple, Microsoft, Steam, Twitter, Baidu, and Cloudflare.

CompTIA has made its ISAO forum thread available for free to the public due to the nature of this issue.

Why do we care?

This is one of those stories both important to highlight but nothing new.   For end-users, this is “make sure you’re patched.”   For IT providers, it’s “roll out patches and ensure mitigation is implemented,” and for vendors, it’s “get your patch out.”    It’s incredibly newsworthy but not note-worthy as the playbook is not different.  Go forth and run the playbook because it’s time.

So giving this some interesting thought, the ITNews article offers an expert opinion that “maintainers should become professionalized, sending big companies suitably large invoices for their work as this is a model that enterprises understand, unlike donation-based funding.”

As organizations consider the supply chain broadly… if your multi-million-dollar revenue stream is dependent on a couple of volunteers on the internet… maybe that’s a risk you should be factoring in, huh?  Something to ponder on this chain.