Everyone is talking about Log4Shell, a zero-day remote code execution exploit in versions of log4j, the popular open source Java logging library.
In fact, I’ve received so many emails from PR agencies pitching their cybersecurity clients’ views on Log4Shell that it felt like my inbox was suffering a denial-of-service attack…
Details of the critical vulnerability were made public on Friday last week, almost a month after the cloud security team at Alibaba responsibly disclosed it to the Apache Software foundation.
The software flaw, which is being actively exploited by criminals, allows remote attackers to trick servers into running malicious code.
And that’s a big problem. Because Log4j is ubiquitous, widely used in a huge number of software products, online systems, and internet-connected devices.
One of the first public signs that the vulnerability was being exploited appeared in Minecraft, where attackers were able to run unauthorised code on Minecraft servers by pasting a message into the game’s online chat feature.
But the attacks go deeper than simply messing with people’s gaming. You don’t win any prizes for predicting that the vulnerability will be exploited to plant malware, install ransomware and cryptomining code, and steal data and user credentials.
What do you need to do about the Log4Shell exploit?
If you’re a regular user, make sure that updates are installed for software and internet-enabled devices as soon as they are made available. For instance, Microsoft has already released a security update if you’re a Minecraft player.
Player safety is the top priority for us. Unfortunately, earlier today we identified a security vulnerability in Minecraft: Java Edition.
The issue is patched, but please follow these steps to secure your game client and/or servers. Please RT to amplify.https://t.co/4Ji8nsvpHf
— Minecraft (@Minecraft) December 10, 2021
But, and let me emphasise this, this is not just a Minecraft problem. Log4Shell may impact online games, but it can also hit cloud servers and the software at the heart of enterprises.
In fact, over 250 vendors have already issued security advisories and bulletins about how Log4Shell impacts their products.
Make sure you apply security updates as your vendors push them out.
But what if you’re a company or – gulp! – a vendor that might provide software or services that rely upon the vulnerable log4j code?
For some businesses, establishing whether their software is vulnerable and then properly patching it may not be trivial. The problem is compounded by the fact that news of the vulnerability has become public at a time of year when key personnel may have already gone on vacation.
Furthermore, with cybercriminals finding it possible to exploit the Log4Shell vulnerability easily it is possible that some systems have already been compromised, and attackers have actually removed the flaw from some hacked systems to hide their tracks and reduce the chances of discovery.
For that reason, businesses might be wise to approach the problem with the assumption that they have already been compromised.
Don’t make the mistake of thinking that you will win the race to find where your systems, software, or devices might be vulnerable. It’s quite possible that cybercriminals might have got there before you.
- Apache: The security update for log4j, alongside mitigation steps.
- Lunasec: Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package.
- Cygenta: Explaining Log4Shell in Simple Terms.
- Sophos: Log4Shell explained – how it works, why you need to know, and how to fix it.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.