I might not have had a “Information Security” title associated with my name until now.  But I have always been interested in securing environments within infrastructure.  I have seen many things, good and bad.  I think this is one of the scariest items happening right now and it needs to be called out.

First, let’s define “Open Source”.  The best technical definition that I can find states “Open source software is code that is designed to be publicly accessible—anyone can see, modify, and distribute the code as they see fit” (continue to read more here https://www.redhat.com/en/topics/open-source/what-is-open-source). 

It began as a great example of the “open web” where thoughts, ideas and programs can be passed around freely.  But, as with any great idea, it has been used to monetize others.  I have seen many companies take “Open-Source” software, add their “special” modifications, and then sell that as their product.  I have also seen companies use “open source” software within their own applications to provide a specific functionality and NOT give credit to the original owner. 

Log4J should be a was a wakeup call to any security expert about the threat of Open-Source.  This is not about the vulnerability of version 2.15.  It is about the responses from organizations using this software.  To give credit, some organizations were quick to respond and patched quickly.  However, there were many who, to this day, state 1). We do not think we have this software within our applications or 2) Were unable to update the software and stated that it was fine because of the version of Java that we installed was not the specified version. The worst response was “We are not vulnerable because we are using version 1.x.

Version 1 of log4j hit End-of-Life (EOL) in August of 2015.  That is over six years ago.  Let me ask you this.  Do you think it is ok for a company to be running Windows 2003 or Windows XP in their environment today?  Log4J version 1 was End-of-Life (EOL) just one month after Windows 2003 and Windows XP.  And yet, there are MANY companies out there who are stating “we are not vulnerable to log4J because we are running version 1.x”. 

From a vulnerability management point of view, you ARE vulnerable BECAUSE you are running a version of software that is End-Of-Life (EOL) and is, as such, not being updated to fix known vulnerabilities.  End-of-Life software, just like End-of-Life Operating Systems, do not receive patches or even report vulnerabilities.  By giving an End-of-Life date, the original program writer is telling you. The Project has moved on. Please update your software. Or in other words “You are SOL because the software version is EOL”. 

When this was identified where I worked, our security department immediately initiated a scan of our environment to report ALL versions of Log4J.  It was unbelievable to me the number of software companies running Log4J version 1.x.  And the response we got when we reached out to organizations running log4J version 1.x was the same.  “The version of log4J that is running within our software is not part of CVE-2021-45105 so no update to our application will be provided”.  There were even some companies who were running the vulnerable version (2.15) and their “fix” was to downgrade to version 1.x of log4J and release this as a patch. 

So, why title the blog entry “The Hypocrisy of Open Source”? The hypocrisy comes in when you look at the requirements to run their software and they do not list Windows 2003 or Windows XP as a supported Operating System.  When pressed why, they state “Windows 2003 is End-of-Life”. 

This idea needs to change and these companies need to “Own-up” to the fact that they are knowingly putting each and every one of their customers in harm’s way.