This is a text automatically translated from Italian. If you appreciate our work and if you like reading it in your language, consider a donation to allow us to continue doing it and improving it.
The articles of Cassandra Crossing I'm under license CC BY-SA 4.0 | Cassandra Crossing is a column created by Marco Calamari with the “nom de plume” of Cassandra, born in 2005.
Today is Tuesday but we gladly anticipate the tradition for this one extraordinary edition given that we are talking about a very recent problem, namely the recent security flaw discovered in Java,
This article was written on December 13, 2021 from Cassandra
Cassandra Crossing/ The unbearable weakness of middleware – log4j
Vulnerabilities in the global software ecosystem do not arise from web application codes, but from obscure and very common libraries.
As Cassandra's 24 tireless readers know well, our favorite prophetess has been actively involved in cybersecurity in the past.
The most interesting thing he remembers was, way back in 2011 or so and in Berlin, at the Universalhall-de, participating in only one (unfortunately) of the latest editions of PH-Neutral perhaps the 0x7db edition, a public and paid hacker conference, but which can only be attended with the "presentation" of at least two ex-participants, unfortunately now extinct.
Even today I have to thank a couple of people, or rather very dear friends, who suggested I go and "introduced" me. I wonder if they still remember...
The name PH-Neutral in fact expresses the concept of "balance point", a place where gray hats and white hats could meet as equals.
A memorable event, similar to a CCC Camp condensed into just over 24 hours (beer, dancing and more included).
Unlike the CCC, the level of the few presentations (morning and afternoon) was stratospheric (at the CCC they also do many "hustles"), and the speakers were so good as to be understandable to everyone, even Cassandra.
The speech that struck me most was that of a security expert in web development (a sector that was beginning to explode at the time) who explained, with very understandable examples, the fact that the next major web vulnerabilities would derive not from the code written by the programmers of applications themselves, but from errors present in the infinite pieces of software that had to be included in the applications, libraries and “middleware“.
These vulnerabilities would have been both actual errors in the code of the libraries themselves, and "interfacing" errors between the different pieces, due to poorly documented APIs or whose documentation, due to the rush, no one had time to read thoroughly.
Well, the discovery of a very serious vulnerability in a small component of Java programs is news these days; the humble Log4j which like its big brother Unix-like Syslog (also an offshoot of Sendmail, but let's end it here) exists to write in so-called "log" text files what happens, especially errors, during the execution of a Java program.
Yes, log files, those "useless" files that sometimes clog up computers and smartphones, which are used to understand what doesn't work when the device crashes, and are also bread and butter for those who deal with Computer Forensics.
Log4j is a Java library that performs this humble task, and which is included in almost every Java program, which in turn is included in almost every web service in the world.
Here find the Chinese translation of a good summary article on the issue.
How to summarize the possible consequences of the issue?
“Had they already said that eleven years ago?”
“Is this such a trivial issue that any lifelong programmer knows we have to live with it?”
Or, in a more original and accessible way, and in times in which the Cyberwar has already materialized (memento Stuxnet!), we can say that "among "normal" people, even among "normal" professionals, almost no one realizes the danger, and how easy it can be to remain disconnected, in the dark and dry as the first act of the next war?
Marco Calamari
Video column “A chat with Cassandra”
Cassandra's Slog (Static Blog).
Cassandra's archive: school, training and thought
Join communities
If you have found errors in the article you can report them by clicking here, Thank you!