The Open Source Technology Improvement Fund is proud to share the results of our security audits of Apache Log4Net and Log4CXX. Log4CXX is an open source logging framework library for C++, and Log4Net is a library to output log statements to various targets. With the help of Ada Logics and Sovereign Tech Agency, these projects benefited from an audit and improved fuzzing that will report to the project in perpetuity.
Audit Process:
The engagement was performed in late 2024, with 3 goals: lightweight threat modeling, manual auditing of the libraries, and improving fuzz testing. The audits were performed against the latest master branches of the two projects, each undergoing a threat modelling exercise to help determine untrusted paths that then influenced the risk scoring of the findings with security impact. Ada Logics are well-respected fuzzing educators, and their fuzz work during this engagement identified many of the issues uncovered by this audit.
Audit Results:
- 8 Findings with Security Impact
- 4 Medium
- 4 Low
- Custom Threat Model
- Log4CXX integrated onto OSS-Fuzz
All issues reported by the Ada Logics team as a result of this audit were fixed by the Log4CXX maintainers. OSTIF would like to thank the maintainer teams who participated in this work for their efforts and contributions.
Thank you to the individuals and groups that made this engagement possible:
- Log4Net and Log4CXX maintainers and community
- Ada Logics: David Korczynski and Adam Korczynski
- Sovereign Tech Agency
You can read the Audit Report HERE
OSTIF is celebrating our 10 year anniversary! Join us for a meetup about our work, lessons learned, and where we see the future of open source security going by following our meetup calendar https://lu.ma/ostif-meetups