Our great sponsors
-
Apache Log4j 2
Apache Log4j 2 is a versatile, feature-rich, efficient logging API and backend for Java.
-
lunasec
LunaSec - Dependency Security Scanner that automatically notifies you about vulnerabilities like Log4Shell or node-ipc in your Pull Requests and Builds. Protect yourself in 30 seconds with the LunaTrace GitHub App: https://github.com/marketplace/lunatrace-by-lunasec/
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
-
> When it was first revealed in early December 2021, the Log4Shell bug was described as one of the most severe security vulnerabilities ever.
> The Apache Software Foundation, which maintains the open-source tool, quickly released a patch...
Apache horribly mismanaged this and did not release a patch until it was already widely known and being exploited in the wild. They also messed up and had to release several subsequent patches to actually fix the vulnerability.
Remember: this vulnerability was disclosed to them in November.
https://github.com/apache/logging-log4j2/pull/608#issuecomme...
(Note: I'm the person that coined the term "Log4Shell")
You may be surprised when I tell you what the Apache Software foundations yearly budget is. You'd think for software that is used by practically every Fortune 500 company and most governments, it would be something reasonable. Maybe a few hundred million dollars a year to pay for a reasonable full-time staff, right?
It turns out... it's about $2 million a year. (Wikipedia[0])
This helps explain to me why the devs of Log4j directly uploaded the file "JNDIExploit.java" (the POC) to GitHub while they were patching. (Here is a full analysis and guide about how to prevent that[1].)
They're not security people. They're volunteers working on this in addition to their full-time job.
What kind of brave soul wants to trudge through and maintain log4j in their spare time for zero compensation? I appreciate the people that are capable of doing that, but I think they are rare!
This whole entire vulnerability was eye opening for everybody and I have actually spent the last year building tooling on GitHub to help fix the problems that Log4Shell exposed.
If you have 2 seconds to try that out or just Star the repo[2], it would be very helpful!
0: Log4j revenue https://en.wikipedia.org/wiki/The_Apache_Software_Foundation
1: "How to Discuss and Fix Vulnerabilities in Open Source" https://www.lunasec.io/docs/blog/how-to-mitigate-open-source...
2: GitHub project building better dependency patching tools https://github.com/lunasec-io/lunasec
Absolutely, but if I had to rank Open Source projects by "enjoyment level to work on", I would rank a 10+ year old Java project primarily used by enterprise companies quite low on my list!
Compare that to something like Bun.js[0] which is "sexy" and written in a "cool" programming language (Zig). Or Wasp[1] which is built with Haskell to make dev less painful.
Those projects are naturally going to soak up smart people that hate their day job but need to pay bills.
Who is left that wants to bang their head against a legacy codebase like Log4j? Maybe somebody that feels there is "clout" to be had from it? (Spitballing here, I honestly don't know!)
0: https://github.com/oven-sh/bun
1: https://github.com/wasp-lang/wasp
Absolutely, but if I had to rank Open Source projects by "enjoyment level to work on", I would rank a 10+ year old Java project primarily used by enterprise companies quite low on my list!
Compare that to something like Bun.js[0] which is "sexy" and written in a "cool" programming language (Zig). Or Wasp[1] which is built with Haskell to make dev less painful.
Those projects are naturally going to soak up smart people that hate their day job but need to pay bills.
Who is left that wants to bang their head against a legacy codebase like Log4j? Maybe somebody that feels there is "clout" to be had from it? (Spitballing here, I honestly don't know!)
0: https://github.com/oven-sh/bun
1: https://github.com/wasp-lang/wasp