Open Source Log4j Software Bug “Poses a Severe Risk”

In Openness to Creative Destruction, I argue that open source software has severe drawbacks, compared to a system where firms receive higher profits for selling better software. The severe Log4j bug, discussed in the quoted passages below, is an example that strongly supports my argument.

(p. B1) The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued an urgent alert about the vulnerability and urged companies to take action. CISA Director Jen Easterly said on Saturday, “To be clear, this vulnerability poses a severe risk.”  . . .  Germany’s cybersecurity organization over the weekend issued a “red alert” about the bug. Australia called the issue “critical.”

Security experts warned that it could take weeks or more to assess the extent of the damage and that hackers exploiting the vulnerability could access sensitive data on networks and install back doors they could use to maintain access to servers even after the flawed software has been patched.

“It is one of the most significant vulnerabilities that I’ve seen in a long time,” said Aaron Portnoy, principal scientist with the security firm Randori.

. . .

(p. B2) The software flaw was reported late last month to the Log4j development team, a group of volunteer coders who distribute their software free-of-charge as part of the Apache Software Foundation, according to Ralph Goers, a volunteer with the project. The foundation, a nonprofit group that helps oversee the development of many open-source programs, alerted its user community about the vulnerability on Dec. 9 [2021].

“It’s a very critical issue,” Mr. Goers said. “People need to upgrade to get the fix,” he said. Log4j is used on servers to keep records of users’ activities so they can be reviewed later on by security or software development teams.

Because Log4j is distributed free, it is unclear how many servers are affected by the bug, but the logging software has been downloaded millions of times, Mr. Goers said.

For the full story, see:

Robert McMillan. “Software Flaw Spurs Race to Patch Bug.” The Wall Street Journal (Monday, December 13, 2021): B1-B2.

(Note: ellipses, and bracketed year, added.)

(Note: the online version of the story was updated Dec. 12, 2021, and has the title “Software Flaw Sparks Global Race to Patch Bug.”)

My book, mentioned above, is:

Diamond, Arthur M., Jr. Openness to Creative Destruction: Sustaining Innovative Dynamism. New York: Oxford University Press, 2019.

2 thoughts on “Open Source Log4j Software Bug “Poses a Severe Risk””

Leave a Reply

Your email address will not be published.