Log4J: Why it’s a big deal and how it happened

After a year of headline-grabbing cyber attacks and vulnerabilities, this could be the big one.

The scramble to address a massive Java-based flaw, dubbed Log4J, began last weekend, and it hasn’t stopped. Cybersecurity professionals, developers, and corporations are all hustling to determine what products and services are affected, and how to patch them. Meanwhile, cybercriminals are rushing to exploit the vulnerability.

This story begins with Minecraft. Last week, players of the Java version revealed a vulnerability in the game. By using the chat function, players discovered they could run code on servers and other players’ computers.

Microsoft has since issued patch instructions for Minecraft players, and that might have been the end of the story, if it weren’t for one major problem: This vulnerability is everywhere. In fact, it might be more difficult to find a place where it doesn’t exist. Some high-profile affected products and services include Amazon, Apple iCloud, Cisco, Tesla, and Twitter.

With a few keystrokes, a malicious actor could venture into the servers of some of the world’s biggest companies–bypassing password protection. Once inside, they could exfiltrate and ransom data, embed malware, or sabotage a company or individual. You can see examples of how the exploit works in this Ars Technica story.

Cybercriminals have taken notice. At least 10 different types of malware are circulating for this vulnerability, according to Netlab. And bots are trolling the web looking to exploit it.

For major companies, such as Apple, Amazon, and Microsoft, patching the vulnerability should be relatively straight forward. However, many third-party service providers rely on Log4J. Businesses that use these third-party providers are left on the sidelines, hoping that their vendors are aware of the vulnerability and are working to correct it, if present.

The design flaw that set the internet on fire

So, how did it happen? Essentially, this vulnerability is the combination of a design flaw and bad habits, according to the experts I spoke to for this post.

The cybersecurity industry has dubbed this exploit Log4J, naming it after the Java logging framework that is the source of the problem. Log4J was created by open-source developer Apache Logging Services. It records what happens inside an application or server. When something goes wrong, these logs are essential for fixing the problem.

To exploit this vulnerability, a malicious actor feeds some code to Log4J. Log4J then stores the code. The stored code leaves the door open for more exploitative Java coding, which a malicious actor can use to take over a server. That’s the design flaw. The bad habit stems from the tendency among developers who use Log4J to log everything. Many computer science programs teach this as SOP, experts told me. In this case, logging everything creates the attack vector.

As you might imagine, some finger-pointing has ensued, and since this is the internet we’re talking about, it’s gotten nasty. So, who’s behind Log4J? Ten well-meaning volunteers at a non-profit. Here’s what one had to say.

This might leave you wondering, is there a better way of handling this? The answer, it seems, is no. Since the early days of the internet, the people at Apache have been creating quality products for free, using their highly specialized areas of expertise. They’ve taken an open-source approach, which allows anyone with the requisite skills and knowledge to identify security flaws. Much of our critical digital architecture contains highly specialized open-source solutions, such as Log4J.

Hypothetically, if Log4J were a closed-source solution, the developers may have made more money, but, without the limitless scrutiny of open-source, the end product may have been less secure. The vulnerability also may have never come to light in the first place.

What to do

Pretty much any internet-connected device you own could be running Log4J. At the moment, there isn’t a lot consumers can do to protect themselves, other than make sure they’re running the most up-to-date versions of software and applications. They should also monitor sensitive accounts for unusual activity, since the vulnerability bypasses password protection.

For businesses, the Cybersecurity & Infrastructure Security Agency (CISA) recommends the following:

• Upgrade to Log4J version 2.15.0.
• Determine which external-facing devices are running Log4J.
• Make sure your security operations team is actioning all alerts on these devices.
• Install a WAF with rules that automatically update so your security operations team can focus on fewer alerts.

There are also some comprehensive lists circulating of what is and isn’t affected:

• Tech Solvency
• Another from the Dutch National Cyber Security Center

How will this race between the developers/cybersecurity pros and the cybercriminals turn out? Unfortunately, it’s wait-and-see. While we wait, much of the world’s data hangs in the balance.