There is an old fable that talks about the circle of life in the plains of Africa where every morning a gazelle wakes up and knows that it must run faster than the lion or it will be eaten.  The current Apache log4j remote shell execution (RCE) exploit that is playing out during the writing of this blog post is a stark example of how that fable has some truth to it.  I think a more realistic truth would change the gazelle’s logic slightly to say that it doesn’t necessarily have to outrun the fastest lion, but rather the slowest gazelle.  Joking aside, speed is a big factor in your open source software (OSS) risk management and that is why achieving a high level of competency in DevSecOps and maintaining a secure software supply chain that makes your risk visible in all stages of your software lifecycle is key.  So the answer in this writer’s opinion is that the Fed should be very, very worried about log4j indeed.

What is the Response?

Right now, there are companies literally scrambling with all IT hands on deck trying to figure out where the Apache log4j-core library might be lurking in their applications.  Meanwhile, security teams are monitoring ingress and egress traffic to see signs that attacks have occurred.  This is a nightmare scenario for many, and what is worse, is that to a certain extent it is an avoidable nightmare.  There were signs that hackers were taking advantage of the exploit early in December but it only took a few hours from the public announcement for the malicious activity to begin.  Just ask the folks at Kronos how their day is going since their cloud service was taken down by a ransomware attack that (Read more...)