Problem scenario
You are not sure if Log4j is acceptable to use. It is a best/recommended practice to use Log4j?
Answer
Maybe.
Log4j has been well-adopted by many of the most trusted companies in the I.T. industry. According to cybersecuritydive.com "Fortinet, IBM, Microsoft, Red Hat, Salesforce, and Siemens" use(d) Log4j. Log4j has been vulnerable since 2013 (according to this external website).
Below are some examples of credible sources referring to "best practices" and using Log4j:
- https://examples.javacodegeeks.com/enterprise-java/log4j/log4j-2-best-practices-example/
- https://stackify.com/log4j-guide-dotnet-logging/
- https://dzone.com/articles/logging-best-practices
Carbonite says it is a best practice to "stay current" (in this external posting). Many sources say it is a best practice to apply maintenance patches regularly and stay current; these sources include Faronics.com, The C2 Group, the U.K. National Cyber Security Centre, Forbes recommends covering "[a]ll [y]our [b]ases." Staying current was not enough for Log4j. Some companies used such an old version of Log4j -- in contradiction of the "best practice" of staying current. (Legacy software is widely used; if you want proof that Log4j version 1 was still being used after the major December 2021 vulnerability, see this thread https://github.com/apache/logging-log4j1/pull/18.) These companies using version 1 were not susceptible to the recent Log4j vulnerability. (Admittedly there is a weakness to version 1, but it appears to be less of a vulnerability according to https://www.slf4j.org/log4shell.html.)
As far as vulnerabilities are concerned, CVE-2021-44228 is probably as bad as it gets.
https://www.slf4j.org/log4shell.html
…
As log4j 1.x does NOT offer a JNDI look up mechanism at the message level, it does NOT suffer from CVE-2021-44228.
What is interesting is that https://www.slf4j.org/log4shell.html estimates that 10 times as many companies use version 1, which has been unmaintained since 2015, than version 2. Therefore very few companies use the "best practice" of switching to version 2. Arguably the market got it right by not adopting the Log4j version 2.x. (There is a book explained a story about investors guessing which company was responsible for the component that made the Challenger fail. The estimates were based on the share price of the possible contractor companies losing market value at the time of the explosion. At the conclusion of the investigation, the company that lost the largest percentage of value on the day when the Challenger blew up was the company that made the part that caused the failure. This book is called Wisdom of the Crowds. We are not necessarily endorsing the book, but it is an interesting concept.)
According to CRN, these security vendors were using Log4j version 2:
Broadcom, CyberArk, ForgeRock, F-Secure, Okta, SonicWall and Sophos. (This was taken from https://www.crn.com/slide-shows/security/12-cybersecurity-vendors-susceptible-to-the-log4j-vulnerability.)
Were these companies using best practices? Do not many people in the industry trust those companies? Some companies do not worry about peer-review and best practices. They are focused on multiple lines of defense.
Even Symantec products were affected:
Broadcom determined as of Tuesday that some or all versions of its CA Advanced Authentication, Symantec PAM Server Control, Symantec SiteMinder, and VIP Authentication Hub products are affected by the Log4j vulnerability.
https://www.crn.com/slide-shows/security/12-cybersecurity-vendors-susceptible-to-the-log4j-vulnerability
The vulnerability reminds us that the term "best practice" suggests there is a clear alternative toward something safe but some situations have no clear course of action even to the most well-respected companies in the world.