Explain The Log4j Vulnerability Like I'm 5

I’m embarrassed to say I have never heard of Log4j until today. :man_facepalming: It doesn’t have the same name recognition as OpenSSL but it sure does have the same amount of press and dominating Tech Twitter.

So I ask you fellow sustainer(s), what is it, why are people freaking out, are they underfunded?

I’ve seen security companies mocking it to advertise their greatness in vulnerability scan. Looks kind of mean spotlight to me if maintainers are indeed underfunded and nobody cares for them.

1 Like

The way I understand it, Log4J is the library used by pretty much any Java application to handle logging. I’m not a programmer but reading tutorials like this on how to use Log4J helped me understand what the issue is about. People are freaking out because the library is pretty much everywhere Java is. But it’s hard to find exactly where because Java programs are distributed in zipped packages that may contain zipped packages, recursively… Log4J can be everywhere. Also the vulnerability seem to be quite engrained, so much so that the first patch didn’t solve the problem. The article that explained better to me the depth of the issue is this one Log4Shell: We Are in So Much Trouble – The New Stack

Are they underfunded is a huge question that I have no answer for. I think the problem is a lot deeper, not a problem that money alone can fix. I call it the “bad cement” theory: if civil engineers built bridges with bad cement they all bought from the same bad factory, all the bridges would collapse. There is a reason that cement gets tested before it gets poured in every single site.

We (software “engineers”) use this “bad cement” in the digital infrastructure. And the digital bridges collapse. It’s not a money nor an open source issue because … just look at the Solarwind debacle.

2 Likes

I wonder if it’s actually uniquely an open source problem. This is because only OSS is widely enough used / deep enough in the stack to be analogous to “bad cement” in this analogy. Commercial software can at most be a widely-deployed commercial tool such as SolarWinds, which, though it’s pretty bad, just involves turning off the SolarWinds tool as a mitigation – which would at the most deprive people of a commercial IT monitoring tool. On the other hand, a foundational OSS component like log4j can’t just be “turned off” because everything depends on it!

1 Like

SolarWinds was not Open Source. I believe the good Open Source response to this threat is described at https://www.linuxfoundation.org/blog/preventing-supply-chain-attacks-like-solarwinds/

I think the log4j problem is the problem of complexity that projects like Java develop while being overeengineered in corporate walls. I would be pretty interested to find merge request reviews that approved injecting this external query feature into log4j.

1 Like

Log4J is probably the standard library for logging Java side, especially on servers. It can be a bit overkill though since it provides tons of “appenders” for writing the logs into other infrastructure components etc. So from your Java code without the code being aware of it Log4J can be sending your log data off server. From the Log4J wikipedia article:

The actual outputs are done by Appenders .[18] There are numerous Appenders available, with descriptive names, such as FileAppender, RollingFileAppender, ConsoleAppender, SocketAppender, SyslogAppender, and SMTPAppender. Log4j 2 added Appenders that write to Apache Flume, the Java Persistence API, Apache Kafka, NoSQL databases, Memory-mapped files, Random Access files[19] and ZeroMQ endpoints. Multiple Appenders can be attached to any Logger, so it’s possible to log the same information to multiple outputs; for example to a file locally and to a socket listener on another computer.

For most of my needs I use SLF4J instead when I’m doing JVM work. It can drive Log4J if you ever need to get to that level of complexity but in the mean time it can do the plain jane logging to a file with some formatting controls etc. Setting up Log4J isn’t exactly hard but it’s more trouble than its worth a lot of the time.

1 Like

https://issues.apache.org/jira/browse/LOG4J2-313

3 Likes

This is a great analogy especially for a ‘explain it like I’m 5’ post.

1 Like

ICYMI, this was a great read. :arrow_heading_down:

3 Likes