Versions Compared

Old Version 23

changes.mady.by.user Mark Thomas

Saved on

compared with

New Version 24

changes.mady.by.user Sam Ruby

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Apply dw changes

...

  • You don't fix supply chain issues by focusing exclusively on the means of production.

    • If we could somehow make perfect releases of all ASF projects tomorrow, it would literally take years before we would see the effects. And plenty of cases where the update would never be applied.

  • Community is defined by those who show up.

    • We have plenty of components which are widely used, yet many of those who use them the companies that build these into their product either don't review the code or chose not to contribute back their fixes.

  • Vulnerabilities aren't always isolated to a single component.

    • In the case of the recent log4j vulnerability, JNDI (a part of the Java runtime library; supplied its respective supplier; not part of Log4J) is a critical part of the exploit. We tend to treat concepts of "JNDI injection" as if it were a known problem, but just like "SQL injection" and other injection problems, this is demonstrably not the case. If it were possible to improve those common components, that could be a very big win.

...

  • The IETF, W3C, and WHATWG are examples of standards organizations.  Companies and invited experts collaborate there to produce specifications of standards, formats, and protocols.  Along the way, those companies and individuals contribute their intellectual property to make this happen.  Those standards are then implemented by commercial and open source products.
  • LDAP is an example of one such standard.  It is defined at the IETF.  It's original use was for things like phone books and organization charts.
  • Java is a programming language, and OpenJDK is the open source implementation of that language.  Java contains a component, named JNDI ,that implements LDAP as well as a number of other standards such as CORBA and RMI.  Those other standards provide the ability to do things like remote code execution which was popular in the 1990s, but now isn't quite so important.
  • The Apache Software Foundation is an example of an open source organization.   Companies and invited experts Self managed groups of experts (e.g. academics, people seconded by their company or otherwise voluntary) collaborate there to produce releases of software components and products.   Along the way, those companies  In this way; the industry as a whole; i.e. companies, academia, the public sector and individuals contribute their intellectual property to make this happen.  Those releases are then incorporated into commercial and other open source products.
  • Log4J is one such example of a software component produced by the ASF.  It does the mundane job of producing an audit trail of important activities.  Augmenting the audit trail with organization data from LDAP seemed like a good idea at the time.  As Log4J is written in Java, it made use of JNDI to access that data.
  • Put together, and you have a mundane and almost invisible function which can be tricked into doing remote code execution.  There have been prior efforts to identify critical functions, yet somehow log4j never ranked high on any list.  Furthermore, this vulnerability was not a bug (like a buffer overflow), but a combination of intentionally designed features when put together can be exploited.  This went unnoticed for many years.
  • Since the vulnerability was disclosed, we had a number of inquiries from people trying to determine out if they were affected by this vulnerability.  It turns out many were running log4j version 1, which was discontinued in 2015.  The good news is that this particular vulnerability does not affect them.  The bad news is that the code they are running has not benefited from any security fixes in many years.
  • The handling of the issues in log4j followed ASF processes and the fixes were timely.

...