Relying Upon Open Source and Log4j2 - 2021-12-19
In private, public, commercial, personal, you-name-it projects, nearly every one relies on open source software embedded in the application somewhere.
There are some benefits to this:
- The development's sponsor does not have to pay for the research and development of features provided by open source software.
- Open source software gets updates, while stackoverflow posts do not, and some contain vulnerabilities. To be fair it really is on the human to understand what they are contributing to their own code and I agree.
- Generated code from products like Github Copilot are insecure.
- Updates to open source often come with new features that may be helpful or useful. Some features come through sponsored work so more can benefit.
Notably there are some negatives, but these negatives are often outweighed by the positives.
- Supply chain attacks are a thing. Bumping a version does not in any way entail that a developer read all the changes involved and can sign off on them.
- Legal risk that comes with the license attached to open source software.
- The sponsor's use case may not be covered by or compatible with available open source software.
But there's one negative omitted from the above.Software from any source may come with vulnerabilities and those using the software might never know.
Apache Log4j2 has had several undiscovered vulnerabilities for years. Only upon literally global attention after the first did more come out in the matter of days. There are ongoing Nation-State attacks targeting this vulnerability.
- CVE-2021-44228 - Apache Log4j2 JNDI features do not protect against attacker controlled LDAP and other JNDI related endpoints.
- CVE-2021-45046 - Apache Log4j2 Thread Context Lookup Pattern vulnerable to remote code execution in certain non-default configurations.
- CVE-2021-45105 - Apache Log4j2 does not always protect from infinite recursion in lookup evaluation.
Practically everyone is impacted. Not using Log4j2 in your app? Maybe an agent that monitors your app is using log4j2. Or quite literally for me, my networking infrastructure:
An event like this however does not mean that open source software is inherently bad and vulnerable. Several argue that Open Source Software is less vulnerable because the developers actually want to release something of high quality, whereas closed source environments are constrained by cost and time.
So what can be done to make open source software safer? Frankly the biggest players need to step up. The small ones will not. I know for certain that a company with only 10 developers will not spare a moment contributing back.
Microsoft sometimes seems to be a role model here. They have a significant presence in the open source world. Whether they are doing enough? I don't know.
But there are other big tech players out there, notably Apple.
Frankly I think the best way forward is for Big Tech to do what's right for them by actually investing time and resources into the assets they use, instead of shooting themselves in the foot.
But it won't happen.
So what other alternatives might there be?
Maybe nation states / governments? It's clear that other nation states are willingly exploiting this.
So it seems reasonable that other nation states protect the interests of their citizens by putting efforts towards securing shared software.
There are proposals elsewhere to do this.
But doing tech work in the public sector is... I hear it's unfulfilling, underpaid, and that peers do not care enough about the quality of their work to produce something good. Everyone there is so sure they'll still be there tomorrow that they do not care to learn or to change anything. And that in fact, changes have to come by contracting out work because the contractors will actually do something new instead of deal with beurocracy and internal politics. This opinion comes from a developer for a state institution, not the federal institution.
So if Big Tech won't stand up, and Government employment won't produce anything of use, what is the solution?
Shared open source software can have an incredible impact when done right or wrong, log4j2 has proven that. I'm not convinced that shared open source software will receive attention proportional to its impact unless a significant culture shift occurs. This is a Tragedy of the commons problem. How do you fix that? How do you convince the people with money to allocate resources into something that will specifically be maintenance? These people have masters in business administration, they are educated to cut out costs on activities that don't produce immediate measurable value. The only exception might be for compliance requirements.
So unless there is a disaster so bad which affects life and property like that of the chemical industry, I do not see change happening.
Log4j2 isn't enough of a disaster. The SolarWinds cyber attack was not enough.
These security vulnerabilities do not have significant lasting impacts on life and property to qualify as a disaster for a group of people to compel others to get their act together.