If you work in an organization that uses open source to develop applications, by now you are probably aware of the recently disclosed vulnerability in log4j, commonly being referred to as the Log4Shell vulnerability.
Virtually every organization that uses Java (Maven/Gradle) uses log4j and has likely been impacted. According to data tracked by Tidelift, log4j-core has over 3,600 dependent packages in the Java language ecosystem and over 20,900 dependent software repositories on public code collaboration platforms.
In the aftermath, many discussed how the situation felt similar to another zero day vulnerability from nearly a decade ago: the Heartbleed bug. Heartbleed was a serious vulnerability that affected the popular OpenSSL cryptographic software library, and first drew attention to the serious need for better support for the often-volunteer independent maintainers of open source.
How are things different now than they were a decade ago when we first heard about Heartbleed? How are things still the same?
Tidelift solutions architect lead Mark Galpin shared insights into theLog4Shell vulnerability and discussed how things have changed since Heartbleed. He shared how things have improved and discussed ways we can continue addressing the underlying issues even better. He shows how Tidelift can help with these challenges.