21 October 2022
Recently, there’s a lot of buzz about a newly discovered vulnerability in Apache Commons. It’s a highly rated vulnerability meaning, it’s dangerous and exploitable. If you want more details, check out this great article https://nakedsecurity.sophos.com/2022/10/18/dangerous-hole-in-apache-commons-text-like-log4shell-all-over-again/ The CVE is currently under review – stay tuned for more information.
For many of you reading this, you’re likely weary of the constant barrage of vulnerability after vulnerability after …. Can’t we just have an unbreakable software package? Won’t somebody step up to that challenge and write once and forget about it?
In short, no. Today’s software development has evolved to be faster and cheaper. Security is also part of that equation and in some cases, it’s at the forefront. But in the ever competitive rush to market and profitability, we’ll always have some amount of bugs in the code. And at some point, somebody will find a way to export that vulnerability. Or maybe even automate the process with ML and AI solutions.
What to do? As in all cases, expect to patch. In fact, you should consider patching a part of your total cost of ownership. Gone are the days of forever on devices. These days your solution can be always on, but underneath the presentation and interaction, there may be constant up/down cycling and patching.
Plan for it. Get good at it. Do it often (and if you have not restarted your personal cell device lately, perhaps this is a good time to apply those patches and restart. You’re welcome!)