A flaw in a commonly used piece of software has left millions of web servers vulnerable to exploitation by hackers
13 December 2021
A major security flaw has been discovered in a piece of software called Log4j, which is used by millions of web servers. The bug leaves them vulnerable to attack, and teams around the world are scrambling to patch affected systems before hackers can exploit them. “The internet’s on fire right now,” said Adam Meyers at security company Crowdstrike.
What has happened?
The problem with Log4j was first noticed in the video game Minecraft, but it quickly became apparent that its impact was far larger. The software is used in millions of web applications, including Apple’s iCloud. Attacks exploiting the bug, known as Log4Shell attacks, have been happening since 9 December, says Crowdstrike.
The director of the US Cybersecurity and Infrastructure Security Agency, Jen Easterly, says the security flaw poses a “severe risk” to the internet. “This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use,” she says.
What exactly is Log4j?
Almost every bit of software you use will keep records of errors and other important events, known as logs. Rather than creating their own logging system, many software developers use the open source Log4j, making it one of the most common logging packages in the world.
Not having to reinvent the wheel is a huge benefit, but the popularity of Log4j has now become a global security headache. The flaw affects millions of pieces of software, running on millions of machines, which we all interact with.
What does the flaw allow hackers to do?
Attackers can trick Log4j into running malicious code by forcing it to store a log entry that includes a particular string of text. The way hackers are doing this varies from program to program, but in Minecraft, it has been reported that this was done via chat boxes. A log entry is created to archive each of these messages, so if the dangerous string of text is sent from one user to another it will be implanted into a log.
In another case, Apple servers were found to create a log entry recording the name given to an iPhone by its owner in settings. However it is done, once this trick is achieved, the attacker can run any code they like on the server, such as stealing or deleting sensitive data.
Why wasn’t this flaw found sooner?
The code that makes up open source software can be viewed, run and even – with checks and balances – edited by anyone. This transparency can make software more robust and secure, because many pairs of eyes are working on it. But no software can be guaranteed safe.
The issue that enables the Log4Shell attack has been in the code for quite some time, but was only recognised late last month by a security researcher at Chinese computing firm Alibaba Cloud. He reported the problem immediately to the Apache Software Foundation, the American non-profit organisation that oversees hundreds of open source projects including Log4j, to give it time to fix the issue before it was publicly revealed.
This responsible disclosure is standard practice for bugs like this, although some bug hunters will also sell such vulnerabilities to hackers, allowing them to be used quietly for months or event years – including in snooping software sold to governments around the world.
What happens now?
Apache gave the vulnerability a “critical” ranking and rushed to develop a solution. Now hundreds of thousands of IT teams are scrabbling to update Log4j to version 2.15.0, which was released before the vulnerability was made public and mostly fixes the issue. Teams will also need to scour their code for potential vulnerabilities and watch for hacking attempts.
While patches to fix problems like this can emerge very quickly, especially when they are responsibly revealed to the development team, it takes time for everyone to apply them. Computers and web services are so complex now, and so layered with dozens of stacked levels of abstraction, code running on code, on code, that it could take months for all these services to update.
And there will always be some that never do. Many dusty corners of the internet are propped up on ageing hardware with obsolete, vulnerable code – something that hackers can easily exploit.
More on these topics: