This past December, as if the world had nothing else to worry about, we were confronted with what some consider one of—if not the—most impactful software vulnerabilities ever discovered.1 Specifically, it was a vulnerability found in the widely used Java-based logging utility called Log4j, a tool that was initially published by the Apache Software Foundation back in 2001.
The Log4Shell vulnerability has been described as “the single biggest, most critical vulnerability of the last decade”2 and “a design failure of catastrophic proportions”3 that will affect us for years to come.4 Such words are not often used, even in cybersecurity, but are appropriate here because this vulnerability is relatively easy to exploit, opens up a variety of different ways for the attacker, and forms a huge attack surface due to the extraordinarily large number systems using Log4j. The “blast radius” of Log4j is seemingly unprecedented.5
The vulnerability was published by Alibaba Cloud on Dec. 9, 2021, and appears in the National Institute of Standards and Technology's National Vulnerability Database (ID CVE-2021-44228) with a maximum Common Vulnerability Scoring System severity score of 10.0 (critical).6 It affected a wide range of products, including Cloudflare, iCloud, Minecraft, and Twitter. The number of affected servers and systems probably will reach into the millions. And to add insult to injury, the initial mitigation released by Apache was insufficient and required multiple updates7 while, in parallel, security researchers uncovered additional vulnerabilities, though none with a 10.0 rating.
The response was swift, and companies started the mitigation and patch process in an all-hands-on-deck approach.8 In parallel, cyber adversaries ramped up their attacks and developed increasingly sophisticated exploits to take advantage of vulnerable systems, as well as were able to circumvent external protections such as firewalls.9
A month prior (on Nov. 3), the Cybersecurity and Infrastructure Security Agency (CISA) had issued Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities.10 CISA applied this directive to the Log4Shell scenario by mandating that all federal civilian executive branch agencies must mitigate Log4Shell by Dec. 24, 2021.
In this article, I don't want to focus on specific guidances and best practices on how to mitigate Log4Shell; others already have done this quite thoroughly and in a timely manner (e.g., CISA,11 GitHub,12 TechSolvency13). Also, a number of tools are available, including those from CISA14 and Google.15 Instead, I want to take a step back and look at the bigger picture and the lessons we can learn from this scenario.
Lessons To Be Learned
A former boss of mine had a saying: “Nobody is completely healthy; it is just that some people have not been examined thoroughly enough.” In a similar vein: Is software free of vulnerabilities, or has it not been looked at yet? Considering the continual increase of published vulnerabilities,16 we can safely conclude it is the latter.
But even more concerning is that the number of deeply embedded, impactful, and pervasive vulnerabilities has been growing. Thinking back, it seems that for the past year or two, we have been moving from one software crisis to the next (e.g., Urgent/11,17 Amnesia:33,18 Ripple20,19 BrakTooth20). Granted, Log4Shell trumped them all and put a noteworthy finish on the year.
Clearly, however, we need to recognize that not only is the number of vulnerabilities rising but also that their pervasiveness is growing, as they appear in lower levels of our software builds (and hence making it more difficult to determine if they are present). This affects software components that are widely used—and have been for many years—across extensive ranges of our infrastructure.
It appears that we have entered the Omicron phase of cybersecurity.
As more and more security researchers uncover an increasing number of vulnerabilities, and as more and more cyber adversaries (including nation states) engage in their own research to discover valuable zero-days, we need to ask ourselves if our current approach can succeed or, at a minimum, is sustainable?
Questions To Be Asked
First, the use of open-source software historically has been heralded as being safe and secure, as it is scrutinized as part of the larger community effort of generating and using these software components. But if we look at Log4j, a software tool widely used for decades, we learn that it has been maintained by only a handful of unpaid volunteers.21 And Log4j is not alone.22 For example, the widely used OpenSSL library was supported by two volunteers, eventually increased to four developers, and is funded through donations and a few support contracts. Considering the wide use and resulting risk, existing mechanisms for support seem to fall short.
Talking about risk: With Log4j being deployed in millions of systems and supporting billions of dollars of business as well as critical infrastructure, we do need to look at this as a wake-up call and reevaluate the risk equation and maintenance methodology of open-source software.
Risk management in open-source software, unfortunately, is not happening organically and automatically through a “many eyes” approach. It does raise valid concerns about responsibility versus accountability: It appears that at the lowest level—the level of the open-source component—risk management efforts are not scaled according to its financial or operational impact potential.
It further appears that with the current approach, we apply risk mitigation techniques (risk assessment, threat modelling, and various forms of software testing) at the level of the complete product and assume that this would uncover any supply chain vulnerabilities (be it open-source or commercial software).
Two supporting examples:
The Log4Shell vulnerability has been around for years and is being used in hundreds of products, yet it has only now been discovered.
On the commercial software supply chain side, the compromise of the SolarWinds IT management tool led to hacks of U.S. government agencies23—it was, in a sense, another security failure of our software supply chain.
Rightfully, the advisory firm Forester is contemplating a more methodical, metrics-based approach to manage widely used software packages.24 But in addition, it is raising the question of whether this would force us to confront the reality of open-source use that is “too widespread to fail.”
Source: https://xkcd.com/2347. Licensed under a Creative Commons attribution/noncommercial 2.5 license.
We live in a world of growing dependency on and increasing risk through software-based products. Unfortunately, it is not just a matter of well-resourced cybercriminals but also one of complex nation-state interests. Remember, the WannaCry and NotPetya attacks were using an exploit tool (EternalBlue25) that had been developed by the U.S. National Security Agency—but was leaked and disclosed by the Shadow Brokers26 hacking group and promptly weaponized by numerous cyber adversaries and nation states.
And government interests seem to take on some curious forms. The researchers that discovered Log4Shell were reprimanded by the Chinese government for not reporting the vulnerability to the Ministry of Industry and Information Technology first.27
Clearly, we need to improve our software quality, as we can't just continue to move from one software crisis to the next. This appears to be an unsustainable model, and we need to look for improvements—some of which will probably need to be quite radical in nature.
One such improvement is software transparency—in other words, providing better visibility through software bills of materials (SBOMs).28 I believe that Log4Shell has answered many open questions on what the future of SBOMs and SBOM-related processes needs to look like.
How deep does an SBOM have to be? As deep as possible, so that low-level components like Log4j can be reliably discovered.
What needs to be included in the SBOM? Everything, because any software component can lead to an exploitable vulnerability. For example, Log4j is not a functional program; it provides technical logging and debugging features.
How do SBOMs need to be distributed and managed? With as much automation as possible, which requires a degree of standardization of data formats and processes so that operators of systems can easily ingest SBOM information and can reliably match newly identified vulnerabilities against their asset inventory.
None of this will be easy, and it's asking a lot, but only with radical change can we meaningfully improve our cyber-defensive posture.
In Closing
One thing is becoming clear, software risk and vulnerability management is coming to a reckoning, and between the increasing sophistication of cyber adversaries and the growing number and pervasiveness of published software vulnerabilities, we need to look at fundamental change and radical improvement.
We need to not only improve our processes (and security posture) across the supply chain, but we also need to understand the chain of dependencies better—meaning the developer of a software component needs to be more aware of its use and resulting risks, and the developer of the final product needs to be more conscious about decisions to include supply chain software components.
In the end, the open question is: What else is out there? We don't know what we don't know, but if past trends are any indication, we're in for a rough ride.29 In cybersecurity, things usually don't get better on their own—and it appears that 2022 is already off to a wild start (e.g., Researchers find bugs in over a dozen widely used URL parser libraries30).
References
- 1. Goodin D . As Log4Shell wreaks havoc, payroll service reports ransomware attack . https://arstechnica.com/information-technology/2021/12/as-log4shell-wreaks-havoc-payroll-service-reports-ransomware-attack . Accessed Nov. 16 , 2022. .
- 2. Associated Press . Recently uncovered software flaw ‘most critical vulnerability of the last decade.’ www.theguardian.com/technology/2021/dec/10/software-flaw-most-critical-vulnerability-log-4-shell . Accessed Nov. 16 , 2022. .
- 3. Hay Newman L . ‘The Internet is on fire.’ www.wired.com/story/log4j-flaw-hacking-internet . Accessed Nov. 16 , 2022. .
- 4. Hay Newman L . The Log4J vulnerability will haunt the Internet for years . www.wired.com/story/log4j-log4shell . Accessed Nov. 16 , 2022. .
- 5. Enosuchblog . Calculating my open source blast radius . https://blog.yossarian.net/2021/12/12/Calculating-my-open-source-blast-radius . Accessed Nov. 16 , 2022. .
- 6. National Institute of Standards and Technology . National Vulnerability Database: CVE-2021-44228 detail . https://nvd.nist.gov/vuln/detail/CVE-2021-44228 . Accessed Nov. 16 , 2022. .
- 7. Nichols S . Log4j gets a second update as security woes pile up . www.techtarget.com/searchsecurity/news/252511028/Log4j-gets-a-second-update-as-security-woes-pile-up . Accessed Nov. 16 , 2022. .
- 8. Stokel-Walker C . The FTC wants companies to find Log4j Fast. It won't be easy . www.wired.com/story/lo4j-ftc-vulnerability . Accessed Nov. 16 , 2022. .
- 9. Tung L . Log4j: how hackers are using the flaw to deliver this new ‘modular’ backdoor . www.zdnet.com/article/hackers-are-using-the-log4j-flaw-to-deliver-this-new-modular-backdoor . Accessed Nov. 16 , 2022. .
- 10. Cybersecurity and Infrastructure Security Agency . Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities . www.cisa.gov/binding-operational-directive-22-01 . Accessed Nov. 16 , 2022. .
- 11. Cybersecurity and Infrastructure Security Agency . Apache Log4j vulnerability guidance . www.cisa.gov/uscert/apache-log4j-vulnerability-guidance . Accessed Nov. 16 , 2022. .
- 12. GitHub . CISA Log4j (CVE-2021-44228) vulnerability guidance . https://github.com/cisagov/log4j-affected-db . Accessed Nov. 16 , 2022. .
- 13. TechSolvency . Log4Shell log4j vulnerability (CVE-2021-44228/CVE-2021-45046): cheat-sheet reference guide . www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/#affected-products . Accessed Nov. 16 , 2022. .
- 14. GitHub . Log4j scanner . https://github.com/cisagov/log4j-scanner . Accessed Nov. 16 , 2022. .
- 15. GitHub . log4jscanner . https://github.com/google/log4jscanner . Accessed Nov. 16 , 2022. .
- 16. National Institute of Standards and Technology . CVSS severity distribution over time . https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cvss-severity-distribution-over-time . Accessed Nov. 16 , 2022. .
- 17. Food and Drug Administration . URGENT/11 cybersecurity vulnerabilities in a widely-used third-party software component may introduce risks during use of certain medical devices . https://1technation.com/urgent-11-cybersecurity-vulnerabilities-in-a-widely-used-third-party-software-component-may-introduce-risks-during-use-of-certain-medical-devices . Accessed Nov. 16 , 2022. .
- 18. Cimpanu C . Amnesia:33 vulnerabilities impact millions of smart and industrial devices . www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-smart-and-industrial-devices . Accessed Nov. 16 , 2022. .
- 19. Cimpanu C . Ripple20 vulnerabilities will haunt the IoT landscape for years to come . www.zdnet.com/article/ripple20-vulnerabilities-will-haunt-the-iot-landscape-for-years-to-come . Accessed Nov. 16 , 2022. .
- 20. Seals T . Bluetooth bugs open billions of devices to DoS, code execution . https://threatpost.com/bluetooth-bugs-dos-code-execution/169159 . Accessed Nov. 16 , 2022. .
- 21. Twitter . Tweet by Catalin Cimpanu, Dec. 11, 2021 . https://twitter.com/campuscodi/status/1469723936950730759?lang=en . Accessed Nov. 16 , 2022. .
- 22. Bradbury D . When software depends on a project thanklessly maintained by a random guy in Nebraska, is open source sustainable? www.theregister.com/2021/05/10/untangling_open_sources_sustainability_problem . Accessed Nov. 16 , 2022. .
- 23. Jibilian I , Canales K . The US is readying sanctions against Russia over the SolarWinds cyber attack. Here's a simple explanation of how the massive hack happened and why it's such a big deal . www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12 . Accessed Nov. 16 , 2022. .
- 24. Carielli S , Valente A , Condo C . Log4j, open source maintenance, and why SBOMs are critical now . www.forrester.com/blogs/log4j-open-source-maintenance-and-why-sboms-are-critical-now . Accessed Nov. 16 , 2022. .
- 25. Hay Newman L . The Leaked NSA spy tool that hacked the world . www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world . Accessed Nov. 16 , 2022. .
- 26. Wikipedia . The Shadow Brokers . https://en.wikipedia.org/wiki/The_Shadow_Brokers . Accessed Nov. 16 , 2022. .
- 27. Greig J . Chinese regulators suspend Alibaba Cloud over failure to report Log4j vulnerability . www.zdnet.com/article/log4j-chinese-regulators-suspend-alibaba-partnership-over-failure-to-report-vulnerability . Accessed Nov. 16 , 2022. .
- 28. National Telecommunications and Information Administration . NTIA software component transparency . www.ntia.doc.gov/SoftwareTransparency . Accessed Nov. 16 , 2022. .
- 29. Solana A . 2021 was a terrible year for cybersecurity. Without action, 2022 could be even worse . www.zdnet.com/article/2021-was-a-terrible-year-for-cybersecurity-without-action-2022-could-be-even-worse . Accessed Nov. 16 , 2022. .
- 30. Lakshmanan R . Researchers find bugs in over a dozen widely used URL parser libraries . https://thehackernews.com/2022/01/researchers-find-bugs-in-over-dozen.html . Accessed Nov. 16 , 2022. .