Proposal: add log4j & maybe some other key logging components to list of critical projects

[David A. Wheeler]

Apache log4j, a widely-used Java component, has a *nasty* vulnerability,
CVE-2021-44228 aka Log4Shell. More info:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-44228
https://www.randori.com/blog/cve-2021-44228/
https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/
https://www.zdnet.com/article/security-warning-new-zero-day-in-the-log4j-java-library-is-already-being-exploited/
https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/

This component is incorporated in many frameworks in wide use,
including Apache Struts2, Apache Solr, and Apache Flink.

According to threatpost its CVSS vulnerability score is 10/10
<https://threatpost.com/zero-day-in-ubiquitous-apache-log4j-tool-under-active-attack/176937/>.
CVSS is an imperfect measure, but it can be a useful estimator, and
usually even high CVSS scores cap at 9.8/10. In this case I think CVSS gets it right;
this one is bad.

This vulnerability is making the news, so it's clearly important to many, and
by itself that justifies adding it as a critical component.
I think the centrality of this component, and its wide use, also justifies adding it.
We might want to think more broadly about adding logging modules;
they are used in *many* systems, have to handle data from untrusted sources
(and may do it improperly), and are important for security (since their logs are often
the first step in identifying active attacks).

--- David A. Wheeler

[Matt Jarvis]

+1 totally agree

--
You received this message because you are subscribed to the Google Groups "wg-securing-critical-projects" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wg-securing-critical...@googlegroups.com.
To post to this group, send email to wg-securing-cr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wg-securing-critical-projects/0DBA0A51-EEE0-4C3E-A3AA-D253D126479E%40linuxfoundation.org.
For more options, visit https://groups.google.com/d/optout.

[Edward Vielmetti]

I would broaden my scope a little bit for this one

and say that "the Java logging ecosystem" should

be given a good long hard look. There are reports

I've seen going back a decade complaining about it,

old code (log4j 1.x) that's been deprecated but that's

still in widespread use, multiple similar ways to do the

same thing.

You have to combine this with the tenets in this

community to preserve backwards compatibility,

as well as an overall trend for legacy systems not to get

regularly updated to latest releases.

I don't think so much that a narrow focus on one library

is going to pay off as much as a broader ecosystem

focus looking at the set of plausible alternatives that

people might have for the logging function.

thanks

Ed

To view this discussion on the web visit https://groups.google.com/d/msgid/wg-securing-critical-projects/CAEaC2tC3zaKwH9HhRcZ0Ad%2B-Njja_GWgKoJdJ5QWNG1xW7T9VA%40mail.gmail.com.

For more options, visit https://groups.google.com/d/optout.

--

Edward Vielmetti +1 734 330 2465

edward.v...@gmail.com

[Derek Zimmer]

I would agree that the java logging ecosystem needs a look. We are already looking at slf4j but there's a whole bundle of projects out there that could use some help.

Derek Zimmer
Executive Director
Open Source Technology Improvement Fund

To view this discussion on the web visit https://groups.google.com/d/msgid/wg-securing-critical-projects/CAPRZce3Vw7c_U5PRe83xasrXT_qefC7%2BCwVVnh9ePWgoubivmw%40mail.gmail.com.

[Rao Lakkakula]

I also agree on java logging ecosystem point, and +1 to David's original comment about considering logging libraries as critical across other popular langs. 

[David A. Wheeler]

> On Dec 13, 2021, at 3:42 PM, Rao Lakkakula <nlakk...@gmail.com> wrote:
>
> I also agree on java logging ecosystem point, and +1 to David's original comment about considering logging libraries as critical across other popular langs.
>
> On Monday, December 13, 2021 at 6:25:26 AM UTC-8 de...@ostif.org wrote:
> I would agree that the java logging ecosystem needs a look. We are already looking at slf4j but there's a whole bundle of projects out there that could use some help.

It's worth noting that the Census II preliminary report from Harvard had these 2 logging libraries at the top:
- logback
- slf4j

They probably should be added to the critical list as well. Rationale: Census II.

--- David A. Wheeler

[Derek Zimmer]

Hello all,

Just as an FYI, slf4j and logback have the same lead developer. We are currently working on a review of slf4j with Google's support. Logback is not currently funded but we could kick it off quickly if we found the funds, since we are already in touch with the team.

The same lead developer created logback with the intention of replacing log4j 1.x. log4j 2.x is now a separate team.

If we want to audit log4j 2.x and logback under Alpha as one of our "test runs", I can start the work of scoping them out and locating some contacts for log4j and we can bring that info to Alpha to facilitate a security review of both.

Thoughts everyone?

Derek Zimmer
Executive Director
Open Source Technology Improvement Fund

--
You received this message because you are subscribed to the Google Groups "wg-securing-critical-projects" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wg-securing-critical...@googlegroups.com.
To post to this group, send email to wg-securing-cr...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wg-securing-critical-projects/8E3D9DE0-912C-487F-BC32-761FBFFDDE5E%40linuxfoundation.org.

[Lauri Ojansivu]

Usually it's easier to upgrade to newer version of dependency where is latest fixes, than to change to different dependency that could be incompatible and require many source code changes.

BR,

xet7