Iām embarrassed to say I have never heard of Log4j until today. 
It doesnāt have the same name recognition as OpenSSL but it sure does have the same amount of press and dominating Tech Twitter.
So I ask you fellow sustainer(s), what is it, why are people freaking out, are they underfunded?
Iāve seen security companies mocking it to advertise their greatness in vulnerability scan. Looks kind of mean spotlight to me if maintainers are indeed underfunded and nobody cares for them.
The way I understand it, Log4J is the library used by pretty much any Java application to handle logging. Iām not a programmer but reading tutorials like this on how to use Log4J helped me understand what the issue is about. People are freaking out because the library is pretty much everywhere Java is. But itās hard to find exactly where because Java programs are distributed in zipped packages that may contain zipped packages, recursivelyā¦ Log4J can be everywhere. Also the vulnerability seem to be quite engrained, so much so that the first patch didnāt solve the problem. The article that explained better to me the depth of the issue is this one Log4Shell: We Are in So Much Trouble ā The New Stack
Are they underfunded is a huge question that I have no answer for. I think the problem is a lot deeper, not a problem that money alone can fix. I call it the ābad cementā theory: if civil engineers built bridges with bad cement they all bought from the same bad factory, all the bridges would collapse. There is a reason that cement gets tested before it gets poured in every single site.
We (software āengineersā) use this ābad cementā in the digital infrastructure. And the digital bridges collapse. Itās not a money nor an open source issue because ā¦ just look at the Solarwind debacle.
I wonder if itās actually uniquely an open source problem. This is because only OSS is widely enough used / deep enough in the stack to be analogous to ābad cementā in this analogy. Commercial software can at most be a widely-deployed commercial tool such as SolarWinds, which, though itās pretty bad, just involves turning off the SolarWinds tool as a mitigation ā which would at the most deprive people of a commercial IT monitoring tool. On the other hand, a foundational OSS component like log4j canāt just be āturned offā because everything depends on it!
SolarWinds was not Open Source. I believe the good Open Source response to this threat is described at https://www.linuxfoundation.org/blog/preventing-supply-chain-attacks-like-solarwinds/
I think the log4j problem is the problem of complexity that projects like Java develop while being overeengineered in corporate walls. I would be pretty interested to find merge request reviews that approved injecting this external query feature into log4j.
Log4J is probably the standard library for logging Java side, especially on servers. It can be a bit overkill though since it provides tons of āappendersā for writing the logs into other infrastructure components etc. So from your Java code without the code being aware of it Log4J can be sending your log data off server. From the Log4J wikipedia article:
The actual outputs are done by Appenders .[18] There are numerous Appenders available, with descriptive names, such as FileAppender, RollingFileAppender, ConsoleAppender, SocketAppender, SyslogAppender, and SMTPAppender. Log4j 2 added Appenders that write to Apache Flume, the Java Persistence API, Apache Kafka, NoSQL databases, Memory-mapped files, Random Access files[19] and ZeroMQ endpoints. Multiple Appenders can be attached to any Logger, so itās possible to log the same information to multiple outputs; for example to a file locally and to a socket listener on another computer.
For most of my needs I use SLF4J instead when Iām doing JVM work. It can drive Log4J if you ever need to get to that level of complexity but in the mean time it can do the plain jane logging to a file with some formatting controls etc. Setting up Log4J isnāt exactly hard but itās more trouble than its worth a lot of the time.
This is a great analogy especially for a āexplain it like Iām 5ā post.
ICYMI, this was a great read. 