Log4j: A dangerous bug put the entire Internet at risk

A flaw in a commonly used piece of software has left millions of web servers vulnerable to exploitation by hackers

Technique


December 13, 2021

Hacker using laptop

Hackers can use Log4j error to access secure data

shutterstock/tami 54

A major security vulnerability has been discovered in a program called Log4j, which is used by millions of web servers. This bug leaves them vulnerable to attack, and teams around the world are scrambling to fix affected systems before hackers can exploit them. “The internet is on fire right now,” said Adam Myers of security firm Crowdstrike.

what happened?

Log4j issue was first noticed in a video game Maine CraftBut it soon became clear that its effect was much greater. The software is used in millions of web applications, including Apple’s iCloud. Attacks that exploit the bug, known as Log4Shell attacks, have been occurring since December 9, Crowdstrike says.

The director of the US Agency for Cybersecurity and Infrastructure Security, Jane Easterly, says the security flaw poses a “grave danger” on the Internet. “This vulnerability, which is widely exploited by a growing group of threat actors, presents an urgent challenge to network defenders given its extensive use,” she says.

What exactly is Log4j?

Almost every piece of software you use will keep logs of errors and other important events, known as logs. Instead of creating their own logging system, many software developers use open source Log4j, which makes it one of the most popular logging packages in the world.

Not having to reinvent the wheel is a huge benefit, but Log4j’s popularity is now a global security problem. The flaw affects millions of pieces of software, running on millions of devices, and with which we all interact.

What does the flaw allow hackers to do?

Attackers can trick Log4j into running malicious code by forcing it to store a log entry that contains a certain text string. The way hackers do this varies from program to program, but in Maine CraftIt has been reported that this has been done Via chat boxes. A log entry is created to archive each of these messages, so if a dangerous text string is sent from one user to another, it will be infused into a log.

In another case, Apple servers were found to create a file Enter the given name registration record to iPhone by its owner in Settings. However, once this trick is achieved, the attacker can run any code he wants on the server, such as stealing or deleting sensitive data.

Why was this flaw not discovered sooner?

The code that comprises the open source software can be viewed, run, and even – with checks and balances – anyone can edit it. This transparency can make the program more robust and secure, because many people are working on it. But the security of any software cannot be guaranteed.

The problem that enables the Log4Shell attack has been in the code for some time, but was only identified late last month by a security researcher at Chinese computing firm Alibaba Cloud. Report the problem immediately to the Apache Software Foundation, the US non-profit organization that oversees hundreds of open source projects including Log4j, to give them time to fix the problem before it’s publicly revealed.

Such responsible disclosure is standard practice for bugs like this, although some bug hunters will also sell such vulnerabilities to hackers, allowing them to be used quietly for months or years of juveniles — including in hackers sold to governments around the world.

What will happen now?

Apache gave the vulnerability a “critical” order and rushed to develop a solution. Now hundreds of thousands of IT teams are swarming to update Log4j to version 2.15.0, which was It was released before the vulnerability was announced And it mostly fixes the problem. Teams will also need to research their code for potential vulnerabilities and monitor hacking attempts.

While patches to fix issues like this can appear very quickly, especially when they are disclosed responsibly to the development team, it takes time for everyone to implement them. Computers and web services are now so complex that they are stacked with dozens of stacked levels of abstraction, code on code, on code, which can take months for all of these services to be updated.

And there will always be some things that never do. Many dusty corners of the internet on outdated hardware are backed up by outdated and vulnerable code – something that hackers can easily exploit.

More on these topics: