UPDATE 12/15/2021: A second vuln in log4j (patch for the first vulnerability was “incomplete.”) It’s been exploited in the wild.
As Daniel Miessler says “Analysis: What’s so remarkable about this vulnerability is not just its criticality or reach—but the root cause at the developer incentives level. Like Heartbleed—the project had very few eyes on it, and all those eyes were volunteers. What we should be thinking about isn’t just log4j. What we should be thinking about is how many other projects are out there that have similar characteristics:
- The project is maintained by very few people in their spare time for no money, and
- If the project had a major issue it would disrupt the entire internet.We simply have too much critical internet infrastructure maintained by a handful of people in their spare time. And those few people are often not able or incentivized to evaluate what they’re creating from a security standpoint.”