Sophos: Log4Shell would have been a catastrophe without the Y2K-esque mobilisation of engineers

2022-01-25 15:32

Anti-malware outfit Sophos has weighed in on Log4Shell, saying that the galvanization of the IT world to avert disaster would be familiar to those who lived through the Y2K era.

The Log4Shell vulnerability turned up in the common-as-muck Apache Log4j logging library late last year.

"As soon as details of the Log4Shell bug became clear," explained Sophos, "The world's biggest and most important cloud services, software packages and enterprises took action to steer away from the iceberg."

The company noted that Log4Shell attacks blocked by its firewalls peaked between 20 and 23 December, then tailed off during January.

Where the Y2K incident shone a light on coding practices of decades previous, the Log4Shell vulnerability has made it clear just how dependent some companies are on open-source components they don't even know about, don't contribute to or don't have a support contract for.

While the danger from the Log4j vulnerability may have ebbed in the weeks since its disclosure, thanks in large part to an almost Y2K-esque mobilisation of engineers, some good might come of the RCE. Companies are waking up to the open-source components they are using in their estate and hopefully understanding that just because something can be downloaded for free, ensuring it is supported and maintained means somebody must get paid.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/01/25/sophos_log4shell/

#log4shell #sophos