CVE-2021-44228, also known as Log4Shell or Log4J, has sparked a fascinating debate. Throughout history, we've grappled with the tension between convenience and security. This discussion has become more pronounced with the widespread use of technology in our daily lives. Software developers have always been inventive in how they document and log their applications. They use variables to make the program's footprint more meaningful, which is quite exciting. After all, reading and referencing software logs becomes immensely helpful when they contain essential runtime information, like null values in the current directory and resource utilization details.
Personally, I'm a fan of this approach, even though I'm not a software developer. I've applied this technique to automate alerts for link latency and resource utilization using SolarWinds NPM back in 2007-2008. I learned SolarWinds from Rajiv Bahl, who amazed me with his innovative use of MS Visual Basic and his resilience in managing key network components. His animated presentations on packet flow and the power of SolarWinds' SQL database were eye-opening.
I took his inspiration and knowledge to the next level by automating link latency alerts. This replaced the mundane latency and jitter alerts with professionally drafted email alerts. These emails, starting with "Dear Team, I am Routerix," embedded key troubleshooting values retrieved using SQL queries. It was like magic when I automated these alerts for call center links, and the automated SMS and email alerts for latency exceeding 170 milliseconds from Sydney to Mumbai were highly appreciated by the service management team. We became more proactive, achieved excellent customer satisfaction, and I even received an innovation award for that quarter.
Looking back, I see a version of myself filled with innovation and an eagerness to overcome security challenges. However, my perspective shifted when I became more security-conscious due to my CISSP certification. I began to reevaluate these past memories from a new standpoint. I don't see it as inherently bad from a security perspective, but my affection for variables and automation-driven intelligence led me down a path that isn't without risks.
Using variables in logging gives us incredible power and efficiency, allowing us to use information intelligently and save significant time and effort. But this ease of use comes at a cost-misusing these variable-driven mechanisms can create vulnerabilities. Log4J/Log4Shell is a classic example of this paradox. Some revel in innovation, others exploit it for nefarious purposes, and some work diligently to safeguard our digital fortresses. In the end, everyone gravitates toward what they love the most.