May 13, 2022

a Fortune 500 company demands fast and free responses from the cURL creator, who told them he would as soon as we signed a support contract

Daniel Stenberg, the creator of cURL, received an email from a Fortune 500 company, the ranking of the top 500 American companies ranked by the importance of their turnover. Said company (or its customers) was probably using cURL and, in the context of the vulnerability in the Apache log4j logging library, asked it a series of questions to find out among other things whether cURL relied on log4j. If you’re a multi-billion dollar company and you’re concerned about log4j, why not just email the OSS authors who you never paid anything and demand a free response within 24 hours with plenty of information? he asked presenting the email he received

On December 9, a vulnerability was discovered in the Apache log4j logging library. This library is very often used in Java/J2EE application development projects as well as by publishers of Java/J2EE-based software solutions on the shelf.

Log4j includes a search mechanism that could be used to query through a special syntax in a format string. For example, it can be used to request various parameters like Java environment version via $java:version, etc Then, by specifying the jndi key in the string, the search mechanism uses the JNDI API. By default, all requests are made using the prefix java:comp/env/*; however, the authors have implemented the option of using a custom prefix using a colon in the key. This is where the vulnerability lies: if jndi:ldap://is used as the key, the request goes to the specified LDAP server. Other communication protocols, such as LDAPS, DNS, and RMI, can also be used.

Thus, a remote server controlled by an attacker could send an object back to a vulnerable server, potentially leading to the execution of arbitrary code in the system or the leak of confidential data. All an attacker needs to do is send a special string through the mechanism which writes this string to a log file and is therefore handled by the Log4j library. This can be done with simple HTTP requests, for example, those sent via web forms, data fields, etc., or with any other type of interactions using server-side logging.

The vulnerability has been characterized by Tenable as the most significant and critical vulnerability of the past decade.

The severity of the breach is a maximum of 10 on the CVSS scale.

Corrections were proposed but, in turn, weaknesses were discovered in their responses. In total, the researchers discovered four vulnerabilities by considering the attack surfaces left by three patches proposed to close the same flaw.

The creator of cURL questioned

cURL (short for client URL request library: URL request library for clients or see URL: literally see URL ) is a command line interface, intended to retrieve the content of a resource accessible by a computer network. The resource is designated using a URL and must be of a type supported by the software. The software allows you to create or modify a resource (unlike wget), so it can be used as a REST client.

The cURL program implements the user interface and is based on the libcurl software library, developed in C language. This library is thus accessible to developers who want to have network access functionalities in their programs. Interfaces have been created in many languages ​​(C++, Java, .NET, Perl, PHP, Ruby…).

La bibliothque supporte notamment les protocoles DICT, file, FTP, FTPS, Gopher, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, Telnet et TFTP.

Its creator, Daniel Stenberg, was contacted in the context of the log4j flaw by a company with a market capitalization allowing it to be listed in the Fortune 500. In a blog post, he stated:

On Friday, January 21, 2022, I received this email. I tweeted about it and took off.

The email is from a multi-billion dollar Fortune 500 company that apparently might use a product containing my code, or maybe they have customers who do. Who knows?

I guess they do it for compliance reasons and they “forgot” that their open source components are not automatically provided by “partners” that they can simply ask for this information.

I replied to the email very briefly and said that I would be happy to respond with details once we have signed a support contract.

I think this is maybe a good example of the open source pyramid and people at the higher layers don’t think at all about how the lower layers are maintained. Building a house without worrying about the ground on which the house stands.

In his tweet and blog post, he removes the company name and gives reasons: I most likely have the right to tell you who they are, but I still prefer not to. (Especially if I can land a profitable commercial contract with them.) I think we can find that level of entitlement in many businesses.

And to continue in these terms:

The level of ignorance and incompetence shown in this one email is staggering.

Although they don’t even specifically say what product they use, no code I’ve ever been involved with or copyrighted uses log4j and any newbie or better engineer could easily figure it out. check.

In the image version of the email, I filled in the name fields to better anonymize the sender, and in the text below, I replaced them with NNNN. (And yes, it’s very odd that they are sending requests to log4j now, apparently very late.)

Emails

Citation Sent by The company

Dear Haxx Team Partner,

You are receiving this message because NNNN uses a product that you developed. We ask that you review and respond within 24 hours of receiving this email. If you are not the right person, please forward this message to the appropriate contact.

As you may already know, a recently discovered zero-day vulnerability is currently affecting the Apache Log4j Java logging library globally, potentially allowing attackers to take full control of affected servers.

The security and protection of our customers’ confidential information is our top priority. As a key partner serving our customers, we need to understand your risk and vulnerability mitigation plans.

Please answer the following questions using the template provided below.

1. If you are using a Java logging library for one of your applications, what versions of Log4j are you running?

2. Have there been any confirmed security incidents in your business?

3. If yes, which applications, products, services and associated versions are impacted?

4. Were any NNNN products and services affected?

5. Was NNNN’s non-public or personal information affected?

6. If yes, please provide details of relevant information NNNN immediately.

7. What is the deadline (MM/DD/YY) to complete the correction? list the NNNN stages, including the dates for each.

8. What action is required from NNNN to complete this fix?

In an effort to maintain the integrity of this survey, we ask that you do not share NNNN-related information outside of your company and restrict this request to relevant personnel only.

Thank you in advance for your prompt attention to this request and your partnership!

Sincerely,

Information Security NNNN

The information contained in this message may be CONFIDENTIAL and is intended only for the intended recipient. Any unauthorized use, dissemination of information or copying of this message is prohibited. If you are not the intended recipient, please notify the sender immediately and delete this message.

On January 24, cURL’s father received this response, from the same address, and she quotes his response:

Citation Sent by Business

Hi David,

Thank you for your response. are you saying that we are not a client of your organization?

/ [prnom de la personne qui s’adresse David]

cURL’s father replied again (10:29 p.m. CET on January 24) to this email identifying him as “David”. Since there is a story about a David who faced the Goliath gauntlet, he couldn’t help but make a joke of it:

Citation Sent by Daniel Stenberg

Hi Goliath,

No, you have no contract with me or anyone else at Haxx who sent you this email, asking for a lot of information. You are not our client, we are not your client. Also, you didn’t specify which product it was.

So we can either establish such a relationship or you are free to seek answers to your questions yourself.

I can only assume that you have integrated our email address and contact details into your systems, as we produce a lot of widely used open source software.

best wishes,
Daniel

Source: Daniel Stenberg (blog post, Tweet)

And you ?

What do you think of the Fortune 500 company’s approach?
What do you think of David Stenberg’s response?

See as well :

GitHub restores the account of the dev who intentionally corrupted its libraries, some devs believe the suspension was unreasonable since it was their own code
Log4j: CISA director expects fallout from flaw that will span years and serve future intrusions into corporate systems