What to know about the latest cybersecurity bug in log4j
The vulnerability is related to an open-source logging tool used by Java programs.
On Saturday, the US Cybersecurity and Infrastructure Security Agency issued a statement about a serious new software bug that could impact Apple’s iCloud, Microsoft’s Minecraft, Baidu, IBM, Amazon Web Service, and others. Hackers could potentially exploit this vulnerability to take over websites.
“We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies — and signals to non-federal partners — to urgently patch or remediate this vulnerability,” CISA director Jen Easterly wrote in the statement. The bug pertains to something called log4j, and one way that software engineers can protect websites from it is to upgrade to the latest version of log4j (2.15.0). “We are proactively reaching out to entities whose networks may be vulnerable and are leveraging our scanning and intrusion detection tools to help government and industry partners identify exposure to or exploitation of the vulnerability.”
The vulnerability was first discovered by Alibaba’s security team. Here’s what to know about the exploit and log4j.
Log4j is an open-source tool used by Java programs for logging, or creating a record of everything an application has done. (Open-source tools are free and available for anyone to view to highlight bugs or vulnerabilities.)
“You want to create that record for a variety of different purposes, like being able to debug the application if something goes wrong, or be able to understand anything interesting about how the application was used,” explains Shuman Ghosemajumder, the global head of artificial intelligence at F5, an internet infrastructure and security company. “You can create your own mechanism within your own website or mobile app to record that information, or, you can use a logging program created by someone else, [like] log4j.”
[Related: You need to protect yourself from zero-click attacks]
When information is passed to log4j, it commonly has to go through the website on which log4j is performing those logging operations.
However—and here’s where this serious bug comes into play—if someone sends the library a command in the form of a special string of characters tucked within that data, instead of just logging that information, log4j will execute it as though it is code in a program.
Think of the string as a skeleton key that opens up the program and allows any attackers to insert their own program, that they control, on that website’s server. In theory, they could run software that allows them to completely take over that website or application.
Additionally, attackers can scan all of the websites on the internet to try and find ones that are responding to this special string of characters.
“This is what’s called a remote code execution attack,” says Ghosemajumder. “One of the things that is particularly dangerous about this is that it can give a cyber attacker a very high level of access to websites and to your accounts.”
For example, hackers can bypass the normal mechanisms that are required to do things on your account, like logging into a bank website or an email account that uses log4j. Because it’s possible that attackers can access private accounts without having the login, Ghosemajumder says that consumers should monitor for unusual activity on accounts that are important.
As for companies and organizations, other than updating the software, they can also use cybersecurity tools to filter traffic going to their website to look for that string and prevent it from reaching log4j. “This is what cybersecurity teams everywhere are doing right now,” says Ghosemajumder. “Hopefully, they’re doing it fast enough for most people to be protected.”