How Dangerous Is Log4Shell and How it Affects the Java Industry?
In this short article, I would like to elaborate on the Log4Shell vulnerability and how it might affect the Java community. Log4Shell has been a hot topic in different media since its discovery. However, not all sources describe the problem correctly; some believe that it is a vulnerability reducing the whole Java world to a broken reed.
To clear away all misinterpretations, Log4Shell is not a Java vulnerability, but a Java library Apache Log4j 2 bug. This widely spread Java software is designed for logging error messages in applications.
As we know, there were four security patches issued by Apache since the vulnerability discovery, with the recommendation to integrate them immediately in case your software contains this library.
What Is Inside of This Bug and Where Did It Come From?
It is officially called CVE-2021-44228 and has the highest score of 10 in the CVSS security ranking, meaning that you should either shut down the application containing the bug or update the dependencies immediately. There were three more related vulnerabilities that were discovered under the numbers CVE-2021-45046, CVE-2021-45105, CVE-2021-44832, with the same critical security rank of 10.
Log4Shell vulnerability provides an opportunity for the intruders to get control of your device on the Internet. The library Apache Log4j 2 was written in Java using the OpenJDK, and it became evident that its code was not audited. This case created a considerable concern for the whole Java community regarding the security of the code. Rightfully so.
How It Affects the Java Industry
There are many different opinions, with some claiming that open software is to blame. I, however, would like to express a different point of view. The open-source approach to development is certainly more beneficial for the IT industry. In the open-source environment, we find out about the vulnerabilities as soon as they are discovered and fix them in a joint effort. Hypothetically, let's say that a bug is found in proprietary software. In that case, the developer community and consumers will not even know about it, hence cannot act.
Secondly, I believe that using a different approach to the software's security, quality, and technical support is beneficial. It does not mean that you should switch to proprietary products, but you should find and work with reputable and reliable OpenJDK providers.
Thirdly, an important rule in the IT industry is that no one should skip integrating security patches. If you don't follow this rule, you put yourself in a highly unsafe position.
Today OpenJDK is getting better and safer with each Critical Patch Update (CPU). The latest one was released in January 2022 for JDK 17, JDK 11, JDK 8. The various fixes introduced in these updates demonstrate the results of the united efforts of Java community members in discovering the issues and delivering solutions to them. This is the way to keep Java on top of the list of the most secure and performant programming languages.
Summary
Log4Shell vulnerability received extensive widespread media coverage and even resulted in the White House Meeting on Software Security. The discussion leaves expectations for more productive collaboration in preventing security defects and vulnerabilities in code and open source packages. It is bound to result in improving the process of finding defects and fixing them, and shortening the response time for distributing and implementing fixes.