Log4j and the societal threat posed by open source vulnerabilities
What is the Log4j vulnerability?
Log4j is free and open source software used by thousands of websites and business applications worldwide. These apps and services include well-known companies such as Apple iCloud, Microsoft Minecraft, and Oracle Databases. The use of log4j is ubiquitous in the Java world, which makes the Log4j vulnerability very serious.
Security vulnerabilities were recently discovered in Log4j that could allow an attacker to remotely execute malicious code on a target computer. This means an attacker can easily steal data from the Internet, install malware, or take control of millions of computer systems.
According to Check Point research, more than 800,000 exploit attempts were detected in the first 72 hours after the Log4j issue was made public. The widespread impact of this vulnerability is so significant that it will take years to fix, as over 95% of Java programs use Log4j either directly or indirectly.
The Common Vulnerability Scoring System (CVSS), an industry-standard vulnerability severity ranking method, gave the Log4j vulnerability the maximum possible score of 10 out of 10, which is equivalent to an earthquake of 10 out of Richter scale. The vulnerability created ripple effects within and beyond the IT industry, and led to the exposure of many related vulnerabilities that were previously unknown.
Open source security in the wake of Log4j vulnerability
Major vulnerabilities such as Log4j can make open source software less secure. However, commercial and open-source source code is also susceptible to weaknesses, and commercial software often uses open-source components as well. This makes vulnerability management an essential part of modern information security.
The main difference is that anyone can identify issues in open source. In some cases, the vulnerabilities are not in the code itself but in the implementation (i.e. configuration). What matters are community efforts to find and address vulnerabilities. Users should treat open source technology differently than commercial products – there is no clearly designated person responsible for handling issues.
Anyone can and should modify open source code as they see fit to fix security issues or improve functionality. Everything in the open source world relies on voluntary contributions. If a company benefits from the efforts of the open source community for free, it must also be willing to contribute. Active participation is essential to follow updates and apply security patches as they become available.
Another problem with open source software is that many organizations trust it implicitly, allowing developers to download code and use it without making changes. They don’t apply the same strict security standards and reviews to open source as they do to their proprietary software.
Regarding the Log4j vulnerability, the Apache team working on Log4j took the issues seriously and addressed the needs of various users. The contributors demonstrated a high degree of responsibility for the project. But that reaction only comes after the damage is done, and there’s no guarantee that the open source contributors responsible for the next security calamity will be as vigilant.
Log4j is the tip of the iceberg
Log4j is not the problem, rather it is a symptom of the risks inherent in open source software. Open source is ubiquitous because it’s convenient, but attackers can access the code as freely as developers. They can scour open source projects for vulnerabilities to exploit and target organizations using the vulnerable code.
While open source contributors tend to be active and fix issues regularly, many companies using open source software fail to implement patches. There is no vendor to automatically upgrade the software for its customers. Attackers know that many organizations cannot apply all patches in time.
Attackers often exploit vulnerabilities as soon as they discover them, hiding malicious functions in their target’s network and stealthily gathering information through sleeper cells. In some cases, attackers wait weeks or months to launch an attack (e.g. ransomware), allowing them to learn more about the victim and cause more damage.
Major tech companies have launched initiatives to address the inherent risk of open source vulnerabilities. Google has pledged $100 million to open source security teams, and CISA (the Cybersecurity and Infrastructure Security Agency) is working with government agencies to help improve patch implementation. However, each organization is ultimately responsible for its own security.
Who will be most affected by open source security flaws?
Open source security impacts the entire global economy. However, large, tech-savvy organizations have the resources to protect their own infrastructure. They will be affected by future vulnerabilities, but will recover quickly.
The situation is different with small companies, even large companies that have not undertaken digital transformation. Think of manufacturing plants or retail chains whose staff are not technically competent, who may be using computer systems with outdated operating systems and who have a limited understanding of the importance of food hygiene. cybersecurity.
Some of the most devastating ransomware attacks, for example the JBL Foods attack that shut down some of the world’s largest slaughterhouses on three continents, have been against companies like these.
Low-tech companies employ a large part of the adult population. According to Statistica, 53 million Americans are employed in trade, manufacturing, construction, transportation and agriculture. Many of these organizations are fixed and easy targets for cyberattackers. They are unaware of their security weaknesses, likely lack the tools to detect an attack, and will have limited ability to contain and recover from an attack when it occurs.
A new digital divide is emerging. Just as physical disasters harm the most disadvantaged the most, cyber disasters will be devastating for organizations that are unaware and ill-prepared. Companies that are already disadvantaged by lack of technology capital and skills are at the mercy of cybercriminals. A cyberattack, damaging to any organization, can deal a mortal blow to these already fragile organizations.
There is no simple solution: technology is permeating every aspect of business life, cybercriminals are becoming increasingly sophisticated, and the tools to defend against them are beyond the reach of many. What we may need is a cybersecurity “welfare state,” a government-sponsored program to provide all businesses with a basic level of protection against a harsh cyber reality.
This article does not necessarily reflect the views of the editors or management of EconoTimes