Log4j

Logging describes the act of keeping a record of what has happened in a software application, without which the secure operation and continued development of software wouldn’t be possible. Developers use tools called logging libraries to keep track of these records. Log4j is one of the most widely-used logging libraries for the programming language Java, and is used in the majority of applications there.

In December 2021, Log4j vulnerabilities, known as Log4Shell, severely affected billions of applications and services all over the world (Amazon, Alibaba, Twitter, Microsoft, Steam, etc.). This incident reminded everyone of the crucial role Log4j plays in the world’s IT infrastructure. In contrast to the scale of its deployment, Log4j is a free and open source software project developed and maintained by a handful of volunteers who contribute to the project in their spare time.

The Log4j project is hosted by the Apache Software Foundation, which provides governance, guidance, and technical infrastructure support. The foundation does not provide financial support to Log4j maintainers or contributors.

Java is one of the most popular programming languages and logging is a core functionality that both system administrators and programmers around the world use in data centers, enterprise networks, and other components. This makes logging libraries like log4j and logback critical digital infrastructure for businesses, organizations, and public institutions.

The Log4Shell vulnerability, first made public in late 2021, revealed that Log4j is a core component of the world's software infrastructure, and deployed extremely widely. Governments, businesses, and the public became aware of how critical open source technology is. Investing in and maintaining these technologies keeps social, technical, and economic systems running.

It is hard to overstate the impact of the Log4Shell vulnerability. It affected billions of applications and services all over the world, in all kinds of industries and sectors, because Log4j is used in so many contexts. Google covered the issue in their security blog and in a Google Cloud advisory.

The Open Source Security Foundation (OpenSSF), in partnership with Google and Microsoft, announced the Alpha-Omega Project and listed Log4j as one of the top 100 critical open source software projects. 

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA),
• the U.S. Federal Bureau of Investigation (FBI),
• U.S. National Security Agency (NSA),
• Australian Cyber Security Centre (ACSC),
• Canadian Centre for Cyber Security (CCCS),
• the Computer Emergency Response Team New Zealand (CERT NZ),
• the New Zealand National Cyber Security Centre (NZ NCSC),
• and the United Kingdom’s National Cyber Security Centre (NCSC-UK) 

released a joint advisory to provide mitigation guidance.

Until STF’s investment, the core maintainers had not received significant financial support for their work on this critical FOSS project.

The work the Sovereign Tech Fund is commissioning aims to improve the release pipeline, documentation, source code repository structure, efficiency, as well as introducing fuzz testing and a performance testbed.

In addition to being functional improvements, these all have security and vulnerability-related implications: improved release pipeline enables quick releases for security vulnerabilities, fuzz testing allows early vulnerability detection, Software Bill of Materials (SBOMs) enable better dependency tracking.

• Infrastructure Enhancement:
  • Enhance a continuous-integration-based release pipeline, for faster releases and quicker reaction times in cases of emergency
  • Speed up and simplify the release process
  • Upgrade core dependencies, for improved security and stability
  • Set up code formatting and static analysis tools for better code quality
  • Implement SBOM, for additional security and improved monitoring of security incidents for users
• Code Quality and Documentation:
  • Implement unified memory management, for even more performance and simplicity in the codebase
  • Generate configuration documentation and schema from source code, to keep users always up to date on the latest changes
  • Implement online configuration validation tool, so even less advanced users can work with configuration
  • Improve documentation, for better accessibility to Log4j features
• Compatibility and Testing:
  • Introduce API compatibility checks
  • Research and implement source and bytecode migration tools
  • Implement fuzz testing
  • Modernize and stabilize the test suites, for quicker and more throughout testing
  • Improve native compilation support