Log4j – When Business Choices Undermine Technology

Late in 2021, the Log4j software vulnerability hit the news. This was, and remains, a widespread security risk that impacted Government institutions and commercial organisations that knowingly or unknowingly installed this free piece of software distributed by the non-profit Apache Software Foundation.

Log4j seems not to be the best advertisement for Open Source as this incident has exposed some of the downsides of a more informal approach to software delivery and maintenance. Having said that, it’s well worth reflecting on the large number of derelict and unsupported systems out there in active use in many companies. From Windows XP, to obsolete or unsupported enterprise systems.

Michael Meeks, General Manager of Collabora Productivity, said:

“Organisations deploy solutions that use off-the shelf Open-Source components all the time, which is fine, but they often fail to get the necessary maintenance and support for them. The Log4j vulnerability is a stark reminder of the issues that can arise when this happens and organisations are left to sort out a major problem with little, if any, formal support.”

Open Source and Corporate Responsibility?

In the case of Log4j, the damaging bit of software is supported by a group of Apache volunteers. They are all well meaning and have worked hard to try address the root cause, but when it comes to important or even critical infrastructure, is it really appropriate to rely on software with such informal, part-time support?

Michael Meeks, commented:

“Open Source is unquestionably a force for good. It’s next to impossible to build a significant technology stack without it today. Nevertheless, the Apache Log4j incident calls into question the relationship between Open Source and commercial users and how they can safely unlock the huge business benefits offered by Open Source software deployment.”

“The point remains that when dealing with important infrastructure all software deployed in the enterprise should be supported by a team of dedicated, full-time experts, who can pro-actively engage with risks, and swiftly respond to users’ needs and any problems that may occur. That should create a positive, contributing linkage between between the end-user and the Open Source project.”

Collabora Online Support and Security

In the light of Log4j and the wide-spread problems this has caused, it’s important to emphasise that Collabora Online, which is based on the LibreOffice technology core, benefits not only from paid maintenance and support, but also a significant long term technical investment in code review, linting, fuzzing and extensive automated testing from the community that all end-users should demand of their software applications, combined with the obvious benefits of scrutiny of Open Source code.

Collabora Online is fully supported by a full-time team. Should any problems be discovered they can be easily reported, and dealt with. This includes a support platform and direct contact with engineers. This is further enhanced with a full and complete range of technical documentation, comprehensive SLAs and signed security updates. Users of Collabora Online are never left alone to deal with any problems.

Security is a critical factor in design. Not only does Collabora Online ensure end users can collaborate securely, confident that only those permitted can access documents, but because it can be easily implemented onto an end user’s own infrastructure they have full control over network access and the servers it is hosted on, further protecting data sovereignty.

“All complex software has problems and, despite our best efforts, there are always more to find,” said Michael Meeks. “Having a supplier who is continuously engaged with the community in identifying, fixing, designing around and keeping their customers safe should be a key part of all enterprises open source procurement.”