Apache Log4j
How does this open source repository relate to critical infrastructure and healthcare?
This is one of the most common Java logging implementations on Maven central and is used by thousands of Java libraries. The wikipedia article on log4shell estimates that that vulnerability affected hundreds of millions of devices [1].
What would vulnerabilities in this repository mean for critical infra & healthcare?
The log4shell vulnerability was described as "border[ing] on apocalyptic" [1]. While that vulnerability has been mitigated, it did help communicate the severity of risk if this library is compromised.
Challenges
>>> Brick Pony