I was told about LOG4J V2 (2.1.x for example) from other people that ran the scanner on 2.5 systems. It is a nightmare to vendors and clients looking for potential security issues. FRom other hand, open source is here to stay.
In short, mainframe modernization has its price. ITschak ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * On Wed, Jan 26, 2022 at 9:25 PM Kirk Wolf <k...@dovetail.com> wrote: > Phil, > > Sorry, I agree that the entirety of what you wrote was more balanced. I > reacted (poorly) to this part: > > "Same with open source: using random code from an unknown author would > have been unthinkable; now it's common." > > I don't think that this is common. Mostly projects use popular open > source projects. Most of these have a history, many contributors, test > suites, etc. What was shocking about the LOG4J vulnerability was that is > was one of these. > > -- Kirk Wolf > > On Wed, Jan 26, 2022, at 12:34 PM, Phil Smith III wrote: > > Kirk Wolf wrote: > > > > >Is that really what you think is going on? > > >The economics of open source are about *reuse*. The overwhelming > majority > > of software these days is built with it for that reason. Good > developers > > are very careful about what open source that they use. Good companies > > have policies and processes for approving any open source used > internally. > > What's the alternative, write everything from scratch? Surely there > will > > be no vulnerabilities there :-) There are complex trade-offs here that > > haven't been touched as yet on ibm-main. > > > > > > > > I guess I didn't make myself clear, because what you wrote is precisely > how > > I think. Not sure what you took from what I wrote that was different-not > > being pissy, just noting that we seem to be in violent agreement! > > > > > > > > Yes, in days of yore, you'd write it all from scratch. And I was trying > to > > say that that was NOT necessarily more secure: it was a different > > environment, so things didn't matter as much. There weren't a million > > monkeys banging on the door with typewriters. > > > > > > > > > What's shocking about the LOG4J vulnerability is that it has been a > > quality component used by thousands of projects for so long (20 years?, > not > > sure exactly). People armed with no understanding of the vulnerability > or > > even Java immediately began contacting all of their software vendors, > even > > products that clearly don't even use java. This only made the problem > > worse. > > > > > > > > Yes. I think I've noted before that the ""given enough eyeballs, all bugs > > are shallow" line, while not intended as a justification for blind use of > > open source, seems to have been used as such. The log4j debacle should > (but > > won't) convince folks that it should not be. > > > > > > > > And what may be a repeat, but something I wrote elsewhere and perhaps > here: > > > > It's also worth noting that a feature conceptually very, very similar to > the > > log4j thing existed almost 40 years ago, in PROFS. DCF included a .sy > > command that would execute a system command. So, as a friend realized, > you > > could send someone a document that did something nasty, like erase all > their > > files or log them off (or send the CEO a message saying "You're a ****"), > > simply by reading it. IBM took this as a SEV1 and fixed it; decades > later, > > we've spent the last while dealing with essentially the same dumb > feechur. > > > > > > > > So over how many years, how many people saw this feature and didn't say > > "Hey, you could do Very Bad Things with that"??! Amazing. > > > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > > Kirk Wolf > Dovetailed Technologies > http://dovetail.com > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
