Christmas came early – Log4Shell & mitigating open-source vulnerabilities

Christmas came early this past December! By that I mean, the attacks that we’ve come to expect from our “frenemies” — the Chinese nation-state attackers who historically strike on this holiday — made themselves felt the week before. They weren’t the only ones reputedly attempting to capitalize on the Log4j vulnerability. The associated numbers were so great that the peal of “The internet is on fire!” rang out from around the globe. It wasn’t long until the words of the poet Rudyard Kipling came to mind: “If you can keep your head when all about you are losing theirs...”

In addition to being touted by many as perhaps the greatest security challenge this generation will have known, the Log4j vulnerability punctuated an awareness already brought to the forefront by the recent cybersecurity executive order that declares, in an ever-more-connected world, the growing importance that must be ascribed to supply chain security and the criticality of open-source software resident in that chain.

In many ways, the sharing reflected in that kind of software has lain at the heart of the internet’s development. The free and open sharing of packet theory by Leonard Kleinrock allowed for the development of the ARPANET. Bob Kahn, having developed the first widescale demonstration of ARPANET infrastructure, made an unprecedented agreement with internet rival David Farber allowing for CSNET traffic to share all his existing infrastructure. And finally, global government agencies shared the cost for much of the initial physical infrastructure needed for widespread accessibility and formed the Coordinating Committee on Intercontinental Research Networking — as a means by which to continue fostering that collective spirit.

It's said, however, that every rose has its thorn — in this instance, it’s apparently a vulnerability that resides at the heart of today’s version of internet collectivism: open-source software.

Quickly dubbed Log4Shell, the flaw results are what could be characterized as improper input validation. This allows for remote code execution, meaning attackers can have sole command of affected machines. While the technical details of the vulnerability don’t immediately seem worthy of the front-page concern that it has engendered, the sting lies in the widespread use of the base software, utilized in the programming language Java — the language that underpins coding for Apple, Microsoft and Amazon’s entire digital offerings. The collectivist mentality, which has allowed the internet to scale to a level incomprehensible 30 years ago, also presents cybercriminals with a golden ticket opportunity.

The Log4j vulnerability shows that cybercriminals are continuing their string of successes, picking holes at the connective tissue holding the internet together. And why wouldn’t they? As I’ve pointed out in a past column, 99% of all codebases contain some elements of open-source code.

This ability to control and command a server can inflict untold havoc. It can start (and keep) the dominoes falling in a massive ransomware attack. It can impact people’s ability to work or allow for the quick formation of significantly sized botnets. It can shake people’s confidence in the ability to mine, store and use new digital currencies. Any of these outcomes could be catastrophic to a business, employee or individual. And they constitute only the tip of the iceberg when considering the types of threats possible when vulnerabilities are found in coding used so ubiquitously by companies.

As security professionals, it’s impracticable to imagine a world in which we eliminate all risk from our software stacks — that would likely cripple productivity and send customers straight to the complaint boards. We can, however, enable complete software visibility so that organizations can more readily identify and mitigate any future instances of discovered vulnerabilities. It was toward that end that we created an Open-Source Software Program Office at Blackberry. It allows us to track and categorize our entire product portfolio’s open-source software contents and to quickly identify where, in each of our products, aspects of a particular library reside. That information enables us to then expeditiously file fixes for announced vulnerabilities into the appropriate software engineering teams and, in turn, their mitigations to any potentially impacted customers.

The ability to rapidly inspect all elements of application codes at an enterprise-wide level with software composition analysis tools is an indispensable aspect going forward for any organization’s effort to build secure software. In circumstances where we are frantically searching to understand how much of our software infrastructure might be impacted by an unfolding breach, this AI-powered visibility can be invaluable.

The internet was predicated on sharing. It’s up to us as security professionals to continue sharing our knowledge and innovations in fighting today’s unscrupulous adversaries. It’s also up to us to ensure organizations are aware of the extent to which their enterprise is reliant on open-source software, as well as the practical steps we can take to mitigate attacks against this bedrock software.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.