“Overwhelmed” Volunteers Struggle to Fix Log4j Bug in Open Source Software

In Openness to Creative Destruction, I argue that open source software has severe drawbacks, compared to a system where firms receive higher profits for selling better software. The severe Log4j bug, discussed in the quoted passages below, is an example that strongly supports my argument. Blog entries posted on Dec. 17 and on Dec. 25 also discussed the Log4j bug.

(p. B6) Gary Gregory, a volunteer for the Apache Software Foundation, is spending time off from his day job glued to his computer, striving to help contain the harm from a security flaw in the Log4j tool underpinning much of the digital economy.

. . .

Mr. Gregory, who works from the dining-room table in his Ocala, Fla., home, fueled by black coffee and accompanied by his hound-pit-bull mix, Bella, said he is overwhelmed with hundreds of requests for help from businesses. While Apache is trying to assist companies in updating their systems, he said, the nonprofit’s resources are limited.

“This puts to the forefront the whole issue with open-source [software] and commercial users,” said Mr. Gregory, who is on the Apache Logging Services Project Management Committee of 16 elected members who vote on changes to the software. “The expectations are somewhat out of whack.”

. . .

Many developers rely on the free Log4j framework to help record data such as users’ behavior and applications’ activity in software built with the Java programming language. Cybersecurity experts say the inclusion of the open-source logging tool within so much interconnected software—often embedded without developers’ knowledge—yields a threat that spans economic sectors and national borders.

. . .

Cybersecurity firm Mandiant Inc. said it has observed Chinese government hackers trying to exploit the flaw.

After Apache released its planned patch on Friday, Mr. Gregory said he worked through the weekend on a new update along with other volunteer software developers in Japan, New Zealand, Virginia and Arizona. Unveiled Monday, the new version disabled a problematic software module by default and removed a message-lookup feature that could be used to exploit the flaw.

The Apache volunteers are designing another update to Log4j for users who rely on an older version of the Java programming language, meaning more work for Mr. Gregory while he is on vacation from his day job.

“That translates to me getting five hours of sleep last night,” he said of his time off. “Some of the other guys got two or three.”

For the full story, see:

David Uberti. “Fight Against Bug Relies on Volunteers.” The Wall Street Journal (Thursday, December 16, 2021): B6.

(Note: ellipses added.)

(Note: the online version of the story was updated Dec. 15, 2021, and has the title “Global Fight Against Log4j Vulnerability Relies on Apache Volunteers.”)

My book, mentioned above, is:

Diamond, Arthur M., Jr. Openness to Creative Destruction: Sustaining Innovative Dynamism. New York: Oxford University Press, 2019.

Leave a Reply

Your email address will not be published.