Australian authorities have been running through the same Log4shell issues their US counterparts are working on, and they've been doing so in close partnership with their Five Eyes allies. The Australian Signals Directorate and the Australian Cyber Security Centre have been full participants in getting out guidance to the many stakeholders affected by the vulnerabilities in the open source library. The Australian Associated Press today published an account of where the country stands with respect to remediation.
The US Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities Catalog now includes Log4shell, and that's consistent with the agency's aspiration, expressed clearly during yesterday's media call, of serving as a single authoritative source for information on risk and remediation. The agency's leaders, while emphasizing the seriousness of the vulnerability, nonetheless offered a broadly optimistic view of the response.
The incident is requiring organizations to manage an extraordinarily complicated supply chain with thousands of vendors, all of whom, CISA Director Easterly emphasized during yesterday's media call, must prepare and deliver their own patches.
Concern about the difficulty of the Government gaining adequate insight into the scope of any particular risk has lent renewed urgency to lawmakers, Senator Peters among them, who are sponsoring legislation that would require organizations to report major cyber incidents. Roll Call notes that House and Senate measures failed to make it through conference during the last session of Congress, but that efforts to arrive at a bill that could pass both houses would resume as Congress reconvenes.
Log4j vulnerabilities will not be amenable to any quick or easy fix, and in this respect they represent, in heightened form, a problem that's common to open source software generally. As Wired points out, not even the big stick the US Federal Trade Commission has waved at businesses will be able to effect an overnight cure for the flaws. Remediation will have, as CISA's Executive Assistant Director for Cybersecurity Eric Goldstein said yesterday, "a very long tail."
The open source software supply chain may have a free-rider problem. BleepingComputer reported an infinite-loop a developer inserted into two widely used open-source libraries. It was a gesture of protest. The developer, whom BleepingComputer identified as Marak Squires, is thought to regard himself as having been exploited by the many organizations who've used his software without either adequate compensation or support. The Apache Foundation addressed this sentiment and its causes in a position paper. SecurityWeek headlines its account of the paper "Apache Foundation Calls Out Open-Source Leechers." Apache doesn't call organizational users "leechers," but its position paper describes a free-rider problem. "We can't fix open source supply chain issues by focusing exclusively on the upstream producer," is how Apache puts it in their first "take-away." The downstream users of open source software should, Apache argues, "contribute back." That is, "Help fix bugs. Conduct security audits and feed back the results. Cash, while welcome and useful, isn't sufficient. We eagerly welcome audits and fixes from any source. We have a process defined for doing so..."