Log4Shell: The race is on to fix millions of systems and internet-connected devices

Graham Cluley
@gcluley

The race is on for companies to find and fix Log4Shell vulnerabilities on their systems

Everyone is talking about Log4Shell, a zero-day remote code execution exploit in versions of log4j, the popular open source Java logging library.

In fact, I’ve received so many emails from PR agencies pitching their cybersecurity clients’ views on Log4Shell that it felt like my inbox was suffering a denial-of-service attack…

Details of the critical vulnerability were made public on Friday last week, almost a month after the cloud security team at Alibaba responsibly disclosed it to the Apache Software foundation.

The software flaw, which is being actively exploited by criminals, allows remote attackers to trick servers into running malicious code.

And that’s a big problem. Because Log4j is ubiquitous, widely used in a huge number of software products, online systems, and internet-connected devices.

One of the first public signs that the vulnerability was being exploited appeared in Minecraft, where attackers were able to run unauthorised code on Minecraft servers by pasting a message into the game’s online chat feature.

Sign up to our newsletter
Security news, advice, and tips.

But the attacks go deeper than simply messing with people’s gaming. You don’t win any prizes for predicting that the vulnerability will be exploited to plant malware, install ransomware and cryptomining code, and steal data and user credentials.

What do you need to do about the Log4Shell exploit?

If you’re a regular user, make sure that updates are installed for software and internet-enabled devices as soon as they are made available. For instance, Microsoft has already released a security update if you’re a Minecraft player.

But, and let me emphasise this, this is not just a Minecraft problem. Log4Shell may impact online games, but it can also hit cloud servers and the software at the heart of enterprises.

In fact, over 250 vendors have already issued security advisories and bulletins about how Log4Shell impacts their products.

Make sure you apply security updates as your vendors push them out.

But what if you’re a company or – gulp! – a vendor that might provide software or services that rely upon the vulnerable log4j code?

For some businesses, establishing whether their software is vulnerable and then properly patching it may not be trivial. The problem is compounded by the fact that news of the vulnerability has become public at a time of year when key personnel may have already gone on vacation.

Furthermore, with cybercriminals finding it possible to exploit the Log4Shell vulnerability easily it is possible that some systems have already been compromised, and attackers have actually removed the flaw from some hacked systems to hide their tracks and reduce the chances of discovery.

For that reason, businesses might be wise to approach the problem with the assumption that they have already been compromised.

Don’t make the mistake of thinking that you will win the race to find where your systems, software, or devices might be vulnerable. It’s quite possible that cybercriminals might have got there before you.

Further reading:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

What do you think? Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.