It was less than a month ago that news of the Log4j vulnerability called Log4Shell broke. The news and fixes around the zero-day vulnerability in Log4j, a popular Java logging framework, continue to come fast; as of today, January 5, the current guidance is to upgrade Log4j to 2.12.4 for Java 7 and 2.17.1 for Java 8+. In case you've been out of the loop, you can learn more about the situation in this blog post.
In the aftermath of Log4Shell, many have discussed how the situation feels similar to another zero day vulnerability from nearly a decade ago: the Heartbleed bug. Heartbleed was a serious vulnerability that affected the popular OpenSSL cryptographic software library, and first drew attention to the serious need for better support for the often-volunteer independent maintainers of open source. How has the industry learned and improved since then?
Join us tomorrow, January 6 at 3 p.m. ET as Tidelift solutions architect lead Mark Galpin will share insights into the Log4Shell vulnerability and discuss how things have changed since Heartbleed. He’ll share how the industry has improved and discuss ways we can continue addressing the underlying issues even better. He’ll also show you how Tidelift can help with these challenges, and answer questions about Log4Shell and Tidelift recommendations for handling it. You can register here.
And if you're looking for more information about how to mitigate the impact of the Log4Shell vulnerability, here are a bunch of resources to help:
- Jeremy Katz details the situation in this Tidelift advisory, sharing what you need to know and do if your organization depends on Log4j. Spoiler alert: if you’re building code with Java, your organization depends on Log4j.
- Watch this 20-minute on-demand webinar, where Mark explains what you need to know about the Log4j vulnerability—and how Tidelift can help.
- In this Tidelift briefing, Mark breaks down the situation step-by-step.
- Tidelift co-founder Luis Villa discusses how the whole Log4Shell situation really highlights the need to proactively work with maintainers at scale.
- Forrester analyst Sandi Carielli and team explain how organizations mitigate future vulnerabilities using software bill of materials and open source management strategies.
- Finally, if you want to check if your applications contain Log4j, you can generate a free software bill of materials with the Tidelift Subscription free trial.