An exciting exchange between a large company and an open source developer who urged 'Tell me about Log4j measures for free' is open to the public



In December 2021, it was

discovered that the Java log output library ' Log4j ' used in various programs had a zero-day vulnerability ' Log4Shell ' for remote code execution, and the IT industry around the world responded. Was chased by. An open source developer who has been asked to teach how to deal with such a problem by a large company such as the Fortune 500 has published an email exchanged with the other company.

LogJ4 Security Inquiry – Response Required | daniel.haxx.se
https://daniel.haxx.se/blog/2022/01/24/logj4-security-inquiry-response-required/

Daniel Stenberg, the developer of cURL, an open source software used to send and receive data using various protocols, took a screenshot of an email sent by a company on January 22, 2022. I tweeted.

The email with the company name hidden in consideration of the other party is written to promptly answer whether the company's services and products will be affected by the Log4j vulnerability and when to fix it. .. 'A big multi-billion dollar company worried about log4j sent an email to an open source software developer who wasn't paying for anything, 24 What does it mean to ask you to answer a question for free within an hour? '



Mr. Stenberg's tweet received a great deal of feedback, with more than 2,500 retweets at the time of writing the article and more than 12,000 likes. So Stenberg decided to publish his subsequent interactions on his blog.

First of all, Mr. Stenberg said about the above email, 'The level of ignorance and incompetence shown in this email does not block the open mouth. The code I have been involved in and the work I wrote. None of the code I have the right to use log4j, and any amateur engineer can easily figure it out, 'he said. I will answer the details in. '

And the response from the other company that received the reply was 'Hello David, thank you for your reply. Does that mean we are not a customer of your organization?' Of course, the problem is that the company doesn't know who to deal with, but Mr. Stenberg's first name is mistaken for David instead of Daniel, which is a short but rambling sentence.



In response, Stenberg added, 'To Goliath. You have no contract with me or anyone in the organization Haxx that you emailed for information. You are our customer. It's not, and we're not your customers. In the first place, the first email didn't even say what kind of product it was about, so would you like to re-establish a contract with us? Or you can either find the answer yourself. We make a lot of widely used open source software, so you can also give us your email address and contact information somewhere. I guess I got it. '



In addition, 'Goliath' is a giant Goliath with a height of about 2.9 meters who confronted David (origin of David) appearing in the Bible. It's a little nice cut out of the fact that the other party is a big company and that Mr. Stenberg's name was mistaken for David.

Social news site · Hacker News of Mr. Stenberg has been dealing with this exchange that was published thread in, 'but I'm not going to defend this company, I will receive good mail something similar to a company that has worked They're about the same, and they're common. Perhaps someone added a 'cURL' to a list created by the legal department from within the company about their product dependencies, and it was mass-produced accordingly. E-mail template will arrived to the original Mr. Stenberg. So, simply should see it done with it if the reply as 'irrelevant' or ignore 'and to understand the situation of the other companies writing if any, the same to the post 'because there is no care allowance dependencies, so that it does not bear in mind, such as that of the open source software maintenance person, very is rude talk' to refute the writing was also ..

Also, in the online bulletin board Reddit thread , 'I have received similar inquiries from NASA regarding log4j. I was happy to know that government agencies like NASA are using my niche app. , I replied 'was collecting a lot of Upvote.

in Software, Posted by log1l_ks