The Times Australia
The Times World News

.
The Times Real Estate

.

What is Log4j? A cybersecurity expert explains the latest internet vulnerability, how bad it is and what's at stake

  • Written by Santiago Torres-Arias, Assistant Professor of Electrical and Computer Engineering, Purdue University
What is Log4j? A cybersecurity expert explains the latest internet vulnerability, how bad it is and what's at stake

Log4Shell, an internet vulnerability that affects millions of computers, involves an obscure but nearly ubiquitous piece of software, Log4j. The software is used to record all manner of activities that go on under the hood in a wide range of computer systems.

Jen Easterly, director of the U.S. Cybersecurity & Infrastructure Security Agency, called Log4Shell the most serious vulnerability[1] she’s seen in her career. There have already been hundreds of thousands, perhaps millions, of attempts to exploit the vulnerability[2].

So what is this humble piece of internet infrastructure, how can hackers exploit it and what kind of mayhem could ensue?

a woman with long dark hair wearing eyeglasses speaks into a microphone
Cybersecurity & Infrastructure Security Agency director Jen Easterly called Log4Shell ‘the most serious vulnerability I’ve seen.’ Kevin Dietsch/Getty Images News[3]

What does Log4j do?

Log4j records events – errors and routine system operations – and communicates diagnostic messages about them to system administrators and users. It’s open-source software[4] provided by the Apache Software Foundation[5].

A common example of Log4j at work is when you type in or click on a bad web link and get a 404 error message. The web server running the domain of the web link you tried to get to tells you that there’s no such webpage. It also records that event in a log for the server’s system administrators using Log4j.

Similar diagnostic messages are used throughout software applications. For example, in the online game Minecraft, Log4j is used by the server to log activity like total memory used and user commands typed into the console.

How does Log4Shell work?

Log4Shell works by abusing a feature in Log4j that allows users to specify custom code for formatting a log message. This feature allows Log4j to, for example, log not only the username associated with each attempt to log in to the server but also the person’s real name, if a separate server holds a directory linking user names and real names. To do so, the Log4j server has to communicate with the server holding the real names.

Unfortunately, this kind of code can be used for more than just formatting log messages. Log4j allows third-party servers to submit software code that can perform all kinds of actions on the targeted computer. This opens the door for nefarious activities such as stealing sensitive information, taking control of the targeted system and slipping malicious content to other users communicating with the affected server.

It is relatively simple to exploit Log4Shell. I was able to reproduce the problem in my copy of Ghidra[6], a reverse-engineering framework for security researchers, in just a couple of minutes. There is a very low bar for using this exploit, which means a wider range of people with malicious intent can use it.

Log4j is everywhere

One of the major concerns about Log4Shell is Log4j’s position in the software ecosystem. Logging is a fundamental feature of most software, which makes Log4j very widespread[7]. In addition to popular games like Minecraft, it’s used in cloud services like Apple iCloud and Amazon Web Services, as well as a wide range of programs from software development tools[8] to security tools[9].

Open-source software like Log4j is used in so many products and tools that some organizations don’t even know which pieces of code are on their computers.

This means hackers have a large menu of targets to choose from: home users, service providers, source code developers and even security researchers. So while big companies like Amazon can quickly patch their web services to prevent hackers from exploiting them, there are many more organizations that will take longer to patch their systems, and some that might not even know they need to.

The damage that can be done

Hackers are scanning through the internet to find vulnerable servers and setting up machines that can deliver malicious payloads. To carry out an attack, they query services (for example, web servers) and try to trigger a log message (for example, a 404 error). The query includes maliciously crafted text, which Log4j processes as instructions.

These instructions can create a reverse shell[10], which allows the attacking server to remotely control the targeted server, or they can make the target server part of a botnet[11]. Botnets use multiple hijacked computers to carry out coordinated actions on behalf of the hackers.

A large number of hackers[12] are already trying to abuse Log4Shell. These range from ransomware gangs locking down minecraft servers[13] to hacker groups trying to mine bitcoin[14] and hackers associated with China and North Korea[15] trying to gain access to sensitive information from their geopolitical rivals. The Belgian ministry of defense reported that its computers were being attacked using Log4Shell[16].

Although the vulnerability first came to widespread attention on Dec. 10, 2021, people are still identifying new ways[17] to cause harm through this mechanism.

Stopping the bleeding

It is hard to know whether Log4j is being used in any given software system because it is often bundled as part of other software[18]. This requires system administrators to inventory their software to identify its presence. If some people don’t even know they have a problem, it’s that much harder to eradicate the vulnerability.

Another consequence of Log4j’s diverse uses is there is no one-size-fits-all solution to patching it. Depending on how Log4j was incorporated in a given system, the fix will require different approaches. It could require a wholesale system update, as done for some Cisco routers[19], or updating to a new version of software, as done in Minecraft[20], or removing the vulnerable code manually for those who can’t update the software.

Log4Shell is part of the software supply chain. Like physical objects people purchase, software travels through different organizations and software packages before it ends up in a final product. When something goes wrong, rather than going through a recall process, software is generally “patched[21],” meaning fixed in place.

However, given that Log4j is present in various ways in software products[22], propagating a fix requires coordination from Log4j developers, developers of software that use Log4j, software distributors, system operators and users. Usually, this introduces a delay between the fix being available in Log4j code and people’s computers actually closing the door on the vulnerability.

[Over 140,000 readers rely on The Conversation’s newsletters to understand the world. Sign up today[23].]

Some estimates for time-to-repair in software generally range from weeks to months[24]. However, if past behavior is indicative of future performance, it is likely the Log4j vulnerability will crop up for years to come[25].

As a user, you are probably wondering what can you do about all this. Unfortunately, it is hard to know whether a software product you are using includes Log4j and whether it is using vulnerable versions of the software. However, you can help by heeding the common refrain from computer security experts: Make sure all of your software is up to date.

References

  1. ^ most serious vulnerability (www.cnbc.com)
  2. ^ attempts to exploit the vulnerability (www.zdnet.com)
  3. ^ Kevin Dietsch/Getty Images News (www.gettyimages.com)
  4. ^ open-source software (www.businessinsider.com)
  5. ^ Apache Software Foundation (apache.org)
  6. ^ Ghidra (github.com)
  7. ^ Log4j very widespread (security.googleblog.com)
  8. ^ software development tools (wiki.eclipse.org)
  9. ^ security tools (github.com)
  10. ^ reverse shell (www.acunetix.com)
  11. ^ botnet (www.howtogeek.com)
  12. ^ large number of hackers (www.akamai.com)
  13. ^ ransomware gangs locking down minecraft servers (www.crn.com)
  14. ^ hacker groups trying to mine bitcoin (www.silentpush.com)
  15. ^ China and North Korea (www.microsoft.com)
  16. ^ attacked using Log4Shell (www.wsj.com)
  17. ^ new ways (www.theregister.com)
  18. ^ bundled as part of other software (deps.dev)
  19. ^ some Cisco routers (tools.cisco.com)
  20. ^ Minecraft (www.minecraft.net)
  21. ^ patched (www.techopedia.com)
  22. ^ present in various ways in software products (unit42.paloaltonetworks.com)
  23. ^ Sign up today (memberservices.theconversation.com)
  24. ^ weeks to months (www.rapid7.com)
  25. ^ will crop up for years to come (blog.malwarebytes.com)

Read more https://theconversation.com/what-is-log4j-a-cybersecurity-expert-explains-the-latest-internet-vulnerability-how-bad-it-is-and-whats-at-stake-173896

The Times Features

How to Protect Your Garden Trees from Wind Damage in Australia

In Australia's expansive landscape, garden trees hold noteworthy significance. They not only enhance the aesthetic appeal of our homes but also play an integral role in the local...

Brisbane Homeowners Warned: Non-Compliant Flexible Hoses Pose High Flood Risk

As a homeowner in Brisbane, when you think of the potential for flood damage to your home, you probably think of weather events. But you should know that there may be a tickin...

Argan Oil-Infused Moroccanoil Shampoo: Nourish and Revitalize Your Hair

Are you ready to transform your hair from dull and lifeless to vibrant and full of life? Look no further than the luxurious embrace of Argan Oil-Infused Moroccanoil Shampoo! In a...

Building A Strong Foundation For Any Structure

Building a home or commercial building can be very exciting. The possibilities are endless and the future is interesting. You can always change aspects of the building to meet the ...

The Role of a Family Dentist: Why Every Household Needs One

source A family dentist isn’t like your regular dentist who may specialise in a particular age group and whom you visit only when something goes wrong. A family dentist takes proa...

Benefits of Getting an Online Medical Certificate

Everyone has experienced it. Rather than taking a break, you drag yourself to the doctor's office, where you have to wait in lengthy lines, and then you have to hurry to get that...

Times Magazine

"Eternal Nurture" by Cara Barilla: A Timeless Collection of Wisdom and Healing

Renowned Sydney-born author and educator Cara Barilla has released her latest book, Eternal Nurture, a profound collection of inspirational quotes designed to support mindfulness, emotional healing, and personal growth. With a deep commitment to ...

How AI-Driven SEO Enhancements Can Improve Headless CMS Content Visibility

Whereas SEO (search engine optimization) is critical in the digital landscape for making connections to content, much of it is still done manually keyword research, metatags, final tweaks at publication requiring a human element that takes extensiv...

Crypto Expert John Fenga Reveals How Blockchain is Revolutionising Charity

One of the most persistent challenges in the charity sector is trust. Donors often wonder whether their contributions are being used effectively or if overhead costs consume a significant portion. Traditional fundraising methods can be opaque, with...

Navigating Parenting Arrangements in Australia: A Legal Guide for Parents

Understanding Parenting Arrangements in Australia. Child custody disputes are often one of the most emotionally charged aspects of separation or divorce. Parents naturally want what is best for their children, but the legal process of determining ...

Blocky Adventures: A Minecraft Movie Celebration for Your Wrist

The Minecraft movie is almost here—and it’s time to get excited! With the film set to hit theaters on April 4, 2025, fans have a brand-new reason to celebrate. To honor the upcoming blockbuster, watchfaces.co has released a special Minecraft-inspir...

The Ultimate Guide to Apple Watch Faces & Trending Wallpapers

In today’s digital world, personalization is everything. Your smartwatch isn’t just a timepiece—it’s an extension of your style. Thanks to innovative third-party developers, customizing your Apple Watch has reached new heights with stunning designs...

LayBy Shopping