The broadcast last Thursday of a ‘zero day’ vulnerability that potentially affects millions of users of hundreds of popular online services (from Minecraft to iCloud, through Steam, Cloudflare, etc.) has forced administrators around the world to make urgent updates to close the doors to cybercriminals.
The vulnerability, known as ‘CVE-2021-44228’ or ‘Log4Shell’, was discovered by Chen Zhaojun (Alibaba software engineer), and affects Apache Log4j, an open source library developed by the Apache Foundation that makes it easier for Java ecosystem applications to keep track of activities performed at runtime.
For now, the vulnerability has mostly been used to spread cryptocurrency malware, but since enables remote code execution in several of the most popular web applications, its effects if they do not patch it immediately can be much more serious.
In fact, has been assigned a 10/10 on the CVSS (Common Vulnerability Scoring System), a standard for measuring vulnerability severity, and these days suspicious activity has been detected (mostly from the Tor network) massively scanning the presence of this vulnerability on web servers.
🚨⚠️New # 0-day vulnerability tracked under “Log4Shell” and CVE-2021-44228 discovered in Apache Log4j 🌶️‼ ️ We are observing attacks in our honeypot infrastructure coming from the TOR network. Find Mitigation instructions here: https://t.co/tUKJSn8RPF pic.twitter.com/WkAn911rZX
– Deutsche Telekom CERT (@DTCERT) December 10, 2021
Fortunately, the patch already exists – in fact, it was released just over 24 hours after becoming aware of the existence of Log4Shell. Now, just update to version 2.15.0 of Log4J to fix the security hole.
The Log4J developers have done too well …
But if you are thinking of attributing this quick response to the fact that the Apache Foundation has a large staff of developers on the payroll, wait for a fact to know first: those responsible for avoiding millionaire losses to some of the largest technology companies in the world have been only three volunteer developers, working on the Log4J project “in their spare time”.
Volkan Yazici is one of those three developers, and has had to defend yourself on Twitter from clearly unfair attacks if we take into account the circumstances of the project:
“The maintainers of Log4j have been working sleeplessly on mitigation measures; patches, documents, CVE, responses to queries, etc. However, nothing prevents people from attacking us, for a job for which they do not pay us, for a function [del código] which we don’t all like, but which we need to keep due to backward compatibility issues. “
Why is the work of critical open source project developers so undervalued?
Another of his colleagues is Ralph Goers, creator of the initial version of Log4J and who currently keeps the library updated in the time that his job as a “full-time software developer” frees him. This he tells on his GitHub Sponsors page, a service that many developers of open source projects use to get sponsors.
At the time the vulnerability was made public, Goers had only 3 sponsors, a figure that the impact of the case has increased to 47 at the time of writing:
However, these days, many users have shown scandalized in the networks upon learning of the precarious situation of such a critical project (and grateful to those responsible for his selfless and fundamental work):
“The Apache Log4j project is being maintained by three people who volunteer their free time. Please don’t be an idiot to them, because multi-million dollar companies are using their tool without even bothering to donate $ 1,000 to them “(Catalin Cimpanu).
“Doesn’t anyone pay Log4j2 maintainers !? There is a full page in the Apache Foundation Project Management Committee Guide on developer responsibilities… AND IS NOBODY PAYING THEM? […] What are we doing people? […] Open source needs to mature a lot“(Filippo Sottile).
“The Internet is vulnerable because we are trusting an open source project by a guy who has two jobs, one of them unpaid. Of course [el proyecto] he has problems, how could he not? He is doing the best he can. Why are we so reluctant to pay critical dependency developers’ time? “(Ada Worcester).