DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Last call! Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • How To Detect and Secure Your Java App From Log4j Vulnerabilities
  • Buildpacks: An Open-Source Alternative to Chainguard
  • Improving Java Code Security
  • Empowering Developers Through Collaborative Vulnerability Management: Insights From VulnCon 2024

Trending

  • Revolutionizing Financial Monitoring: Building a Team Dashboard With OpenObserve
  • My LLM Journey as a Software Engineer Exploring a New Domain
  • Concourse CI/CD Pipeline: Webhook Triggers
  • Hybrid Cloud vs Multi-Cloud: Choosing the Right Strategy for AI Scalability and Security
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. How Dangerous Is Log4Shell and How it Affects the Java Industry?

How Dangerous Is Log4Shell and How it Affects the Java Industry?

Log4Shell has been a hot topic since its discovery. In this article, I'd elaborate on the Log4Shell vulnerability and how it might affect the Java community.

By 
Dmitry Chuyko user avatar
Dmitry Chuyko
·
Feb. 02, 22 · Opinion
Likes (3)
Comment
Save
Tweet
Share
4.4K Views

Join the DZone community and get the full member experience.

Join For Free

In this short article, I would like to elaborate on the Log4Shell vulnerability and how it might affect the Java community. Log4Shell has been a hot topic in different media since its discovery. However, not all sources describe the problem correctly; some believe that it is a vulnerability reducing the whole Java world to a broken reed.

To clear away all misinterpretations, Log4Shell is not a Java vulnerability, but a Java library Apache Log4j 2 bug. This widely spread Java software is designed for logging error messages in applications.

As we know, there were four security patches issued by Apache since the vulnerability discovery, with the recommendation to integrate them immediately in case your software contains this library. 

What Is Inside of This Bug and Where Did It Come From?

It is officially called CVE-2021-44228 and has the highest score of 10 in the CVSS security ranking, meaning that you should either shut down the application containing the bug or update the dependencies immediately. There were three more related vulnerabilities that were discovered under the numbers CVE-2021-45046, CVE-2021-45105,  CVE-2021-44832, with the same critical security rank of 10.

Log4Shell vulnerability provides an opportunity for the intruders to get control of your device on the Internet. The library Apache Log4j 2 was written in Java using the OpenJDK, and it became evident that its code was not audited. This case created a considerable concern for the whole Java community regarding the security of the code. Rightfully so.

How It Affects the Java Industry

There are many different opinions, with some claiming that open software is to blame. I, however, would like to express a different point of view. The open-source approach to development is certainly more beneficial for the IT industry. In the open-source environment, we find out about the vulnerabilities as soon as they are discovered and fix them in a joint effort. Hypothetically, let's say that a bug is found in proprietary software. In that case, the developer community and consumers will not even know about it, hence cannot act.

Secondly, I believe that using a different approach to the software's security, quality, and technical support is beneficial. It does not mean that you should switch to proprietary products, but you should find and work with reputable and reliable OpenJDK providers.

Thirdly, an important rule in the IT industry is that no one should skip integrating security patches. If you don't follow this rule, you put yourself in a highly unsafe position.

Today OpenJDK is getting better and safer with each Critical Patch Update (CPU). The latest one was released in January 2022 for JDK 17, JDK 11, JDK 8. The various fixes introduced in these updates demonstrate the results of the united efforts of Java community members in discovering the issues and delivering solutions to them. This is the way to keep Java on top of the list of the most secure and performant programming languages.

Summary

Log4Shell vulnerability received extensive widespread media coverage and even resulted in the White House Meeting on Software Security. The discussion leaves expectations for more productive collaboration in preventing security defects and vulnerabilities in code and open source packages. It is bound to result in improving the process of finding defects and fixing them, and shortening the response time for distributing and implementing fixes. 

Java (programming language) Open source security Vulnerability

Opinions expressed by DZone contributors are their own.

Related

  • How To Detect and Secure Your Java App From Log4j Vulnerabilities
  • Buildpacks: An Open-Source Alternative to Chainguard
  • Improving Java Code Security
  • Empowering Developers Through Collaborative Vulnerability Management: Insights From VulnCon 2024

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!