Home > Cybersecurity > Log4Shell bug puts the Internet at risk
Companies around the world are struggling to limit the damage from one of the most significant open-source software security vulnerabilities discovered in years, first publicly disclosed on Friday, December 10. A bug in a program called Log4j, which has been used in countless Java applications built over the past two decades, has forced virtually every company that does business on the Internet to examine its software to determine if it is vulnerable.
In Brazil, for example, the impact of this exploitation reached 53% of corporate networks that suffered attempts of this exploitation, according to a survey by Check Point Research (CPR). It is a higher share than the global total of 44%. More than 90 countries were affected.
Dubbed Log4Shell, the zero-day vulnerability, which is considered critical, was initially exploited to compromise Minecraft servers. Four days after the first notification, it is clear that it is a serious threat that is compromising numerous cloud services. Threat analysts and researchers are still assessing the damage, but the outlook is grim.
“This is a very serious vulnerability because of the widespread use of Java and this log4j package,” Cloudflare CTO John Graham-Cumming told The Verge. “There is a huge amount of Java software connected to the internet and on back-end systems.”
Here’s what you need to know for now.
The main cause of Log4Shell, formally known as CVE-2021-44228, is what NIST calls improper input validation. In general terms, this means that you rely too much on untrusted data arriving from outsiders and open your software to sneaky tricks based on trapped data.
For most large companies and government agencies, it is not a question of whether they have been affected, but how many systems have been affected.The job now is to identify and fix all the systems at risk. To complicate the task, many governments, businesses, and consumers probably don’t know if they have products using the code. The Cybersecurity and Infrastructure Security Agency (CISA) is working to develop a comprehensive list of all products that include the affected code and encouraging security researchers to share details about any products they believe are infected.
A Trend Micro criou uma ferramenta de varredura rápida, baseada na web, para identificar aplicativos que podem ser afetados pelo Log4Shell.
And information from The Ecletic Light Company reports that Apple has made a patch available for iOS/iPadOS 15.2 and macOS Monterey 12.1.