Open source software holds the key to solving Log4Shell-type problems

Earlier this month, the existence of a critical vulnerability in Apache Log4j 2 was revealed and a PoC was released. Dubbed Log4Shell, this is an issue in a logging library for Java applications that is widely used in popular open source projects and enterprise level back end applications. Log4Shell introduced a critical security risk, rating 10 out of 10 in terms of severity.

The use of open source software has proven to be one of the most effective responses to this type of risk. While open source software does not guarantee a vulnerability-free life, it does guarantee rapid response and remediation, which is crucial in the event of a large-scale security risk such as that caused by Log4Shell.

Advantages of open source

Free software is defined as “software released under a license in which the copyright holder grants users the right to use, study, modify and distribute the software and its source code to anyone and for any purpose. “. Some of the benefits of this are lower hardware costs, higher quality software, flexibility, security, and transparency.

Having access to the source code and permission to modify it means that anyone can submit to the creator or maintainer any desired modifications to be included in the upstream software. While this also means that malicious actors can explore the code and search it for vulnerabilities, these people already do so with closed-source software that uses techniques such as fuzzing.

Closed source software is not inherently more secure than open source software.

When the source code of a software is not available for inspection, only the vendor can implement fixes, which creates a disparity between attackers and defenders (i.e. more attackers, less Defenders.) This gap is reversed for open source software, with more defenders than attackers. Additionally, closed-source software is more likely to have exploitable (or actively exploited) vulnerabilities in nature for a longer period of time and will have a longer Mean Time to Repair (MTTR) for those vulnerabilities. Businesses are also less likely to publicly report vulnerabilities in their closed-source software due to image and liability concerns, while open-source software is built on a model of transparency and openness.

In the case of the Log4j 2 vulnerability, its open source status meant that once discovered, the entire developer community could work on fixing it and also perform code reviews that uncovered two additional vulnerabilities (as of December 20 2021).

Log4Shell mitigation

The vulnerability allows malicious actors to execute arbitrary code on or recover confidential information from the attacked system. There are two ways to mitigate a vulnerability like this: by patching or updating Log4j in all systems and applications where it is deployed, or by blocking malicious requests as they enter the network, often through a reverse proxy or load balancer.

In the hours and days after the disclosure, many developers and companies released free detection and mitigation features, including container image analysis utilities and network plugins to detect and block. the Log4Shell exploit before it reaches a vulnerable primary server. The influx of energy and defensive response showcases the true power of the open source community.