Serious zero-day in the Log4j Java library

© iStock.

A serious vulnerability was discovered in log4j, an open-source logging library used by millions of applications and services on the Internet. Logging is a process by which applications keep a list of the activities they have performed, to be reviewed later if an error comes up. Almost all network security systems go through some sort of logging process, making popular libraries like log4j enormously important. Dubbed Log4Shell, the vulnerability gives an attacker the ability to import malware and execute remote code on vulnerable servers, which compromises machines.

Exploitation of this vulnerability first cropped up on sites aimed at users of Minecraft, the most popular game of all time. Attackers exploited the vulnerability by posting just a string of special characters, using the syntax $ {}, to the chat system of the Java version of the game. The vulnerability is exceptionally easy to exploit and can be triggered in a number of ways. “This is a very serious vulnerability because of the widespread use of Java and this package log4j,” Cloudflare CTO John Graham-Cumming told The Verge. “There’s a tremendous amount of Java software connected to the internet and in back-end systems. When I look back over the last 10 years, there are only two other exploits I can think of with a similar severity: Heartbleed, which allowed you to get information from servers that should have been secure, and Shellshock, which allowed you to run code on a remote machine.”

An update to the log4j library has already been released to mitigate the vulnerability, but given the time required to update all vulnerable machines, Log4Shell remains a major threat.

⇨ The Verge, Corin Faife, “‘Extremely bad’ vulnerability found in widely used logging system.”

⇨ Ars Technica, Dan Goodin, “Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet.”

2021-12-09