Log4Shell bug puts the Internet at risk

Cristina De Luca -

December 14, 2021

Companies around the world are struggling to limit the damage from one of the most significant open-source software security vulnerabilities discovered in years, first publicly disclosed on Friday, December 10. A bug in a program called Log4j, which has been used in countless Java applications built over the past two decades, has forced virtually every company that does business on the Internet to examine its software to determine if it is vulnerable.

In Brazil, for example, the impact of this exploitation reached 53% of corporate networks that suffered attempts of this exploitation, according to a survey by Check Point Research (CPR). It is a higher share than the global total of 44%. More than 90 countries were affected.

Dubbed Log4Shell, the zero-day vulnerability, which is considered critical, was initially exploited to compromise Minecraft servers. Four days after the first notification, it is clear that it is a serious threat that is compromising numerous cloud services. Threat analysts and researchers are still assessing the damage, but the outlook is grim.

“This is a very serious vulnerability because of the widespread use of Java and this log4j package,” Cloudflare CTO John Graham-Cumming told The Verge. “There is a huge amount of Java software connected to the internet and on back-end systems.”

 Here’s what you need to know for now.

  •  Log4j is an open-source logging library used by applications and services on the Internet. Logging is a process in which applications keep a running list of the activities they have performed, which can later be reviewed in case of an error. Almost every network security system runs some kind of logging process, which gives popular libraries like log4j a huge reach.
  • The Log4Shell bug allows an attacker to simply enter a carefully crafted string into a web form which, once logged in, directs the computer on which it is running to download malicious code.
  • At that point, your computer is no longer yours.
  • The exploit, which grants full remote access to internal networks without the need for a username or password, can be used to infiltrate and extract valuable data, plant malware, and delete critical information on unpatched devices.
  • The Log4Shell vulnerability can be used to exploit servers running with companies such as Apple, Amazon, Cloudflare, Twitter, Steam, Baidu, NetEase, Tencent and Elastic, along with many other organizations.
  • Almost all versions of Log4j are vulnerable, from 2.0-beta9 to 2.14.1.
  • Because an attacker could use the flaw to force an affected system to accept commands from a malicious remote server, Sean Gallagher, a senior threat researcher at Sophos, warns that this could include commands to download and install all kinds of code on vulnerable systems, including cryptocurrency miners or other malicious software.

The main cause of Log4Shell, formally known as CVE-2021-44228, is what NIST calls improper input validation. In general terms, this means that you rely too much on untrusted data arriving from outsiders and open your software to sneaky tricks based on trapped data.

For most large companies and government agencies, it is not a question of whether they have been affected, but how many systems have been affected.The job now is to identify and fix all the systems at risk. To complicate the task, many governments, businesses, and consumers probably don’t know if they have products using the code. The Cybersecurity and Infrastructure Security Agency (CISA) is working to develop a comprehensive list of all products that include the affected code and encouraging security researchers to share details about any products they believe are infected.

A Trend Micro criou uma ferramenta de varredura rápida, baseada na web, para identificar aplicativos que podem ser afetados pelo Log4Shell.

And information from The Ecletic Light Company reports that Apple has made a patch available for iOS/iPadOS 15.2 and macOS Monterey 12.1.