In this episode of the podcast (#232), Tomislav Peričin of the firm ReversingLabs joins us to talk about Log4Shell, the vulnerability in the ubiquitous Log4j Apache library. Tomislav tells us why issues related to Log4j won’t be going away anytime soon and how organizations must adapt to deal with the risk it poses.
If you’ve been paying attention to your infosec news feed this week, you’ve been inundated with stories and headlines about something called “log4j, a (previously) obscure library that is a common component of a number of Apache software frameworks. This quiet little soldier of the open source software world, we now know, has a glaring security hole in it that allows remote code execution on affected systems.
Log4j: A Very Popular Library
And that’s a big problem. Why? Well, it turns out that Log4j is a very, very, very popular software library. The firm Sonatype notes that in November, log4j-core, the vulnerable version of the module, was the 252nd most popular component by download volume in Sonatype’s Maven Central code repository. That’s out of a total population of 7.1 million artifacts – that’s the top 0.003% percentile in popularity by downloads. To date, more than 2000 software packages have been identified that are potentially vulnerable to attacks targeting log4j. Those include both the popular Minecraft massively multiplayer online game as well as Apple’s iCloud and Twitter. SAP announced on Wednesday that it, alone, patched 20 applications that used Log4j. In the meantime, threat actors are scanning the Internet to identify servers vulnerable to exploitation.
Supply Chain Risks: The New Normal
What does this mean for your organization? And what does the Log4j vulnerability tell us about the shape of cyber risks and threats to come? We invited Tomislav Peričin in to the Security Ledger studios to talk. Tomislav is the Chief Software Architect at the firm ReversingLabs and he’s an expert in software analysis and supply chain risks. In this conversation, Tomislav explains what Log4j is and why the security hole in it poses such a big risk. He also talks about some of the big picture changes that organizations will need to make to stay on top of supply chain risks such as this. At the top of that list of changes: creating and analyzing software “bills of materials”(SBoMs) that allow you to keep track of the ingredients in the applications you rely on.