Too Long; Didn't Read
This article discusses the log4j incident, why people are worried about the open-source software (OSS) supply chain, and how to work towards fixing it.
The Spark: Log4Shell
Last week (Dec 9th) a major vulnerability was discovered in an open-source logging project for Java called log4j.
The vulnerability called Log4Shell would allow anyone to remotely run arbitrary code if they sent a message in the right format to the server. This is one of the worst attacks your system can be susceptible to and if you are interested in the technical details of the problem, here is an overview.
The attack surface of Log4Shell is staggering. Amazon, Apple, Google, and the Apache Server are affected; it can almost not get bigger than this.
We will see the real fallout of Log4Shell in the upcoming weeks and months as right now servers worldwide are being scanned and prodded for this vulnerability.