Log4j vulnerability explained in 10 points: What is it, should you be worried?
What is Log4j? It is a Java-based logging library developed by the Apache Software Foundation. Log4j is used by a range of services such as Apple iCloud, Minecraft, Amazon, among many others. Here’s what is the vulnerability that everyone is talking about.
Updated:Tue, December 14, 2021 6:52pm
By Sneha Saha
Wondering what is Log4j vulnerability? We are here to explain the security risk in 10 simple pointers for you to understand how it impacts millions of people around the world and what you can do to stay safe from such vulnerabilities. Take a look.
-Firstly, what is Log4j? It is a Java-based logging library developed by the Apache Software Foundation. It is used by a range of services such as Apple iCloud, Minecraft, Amazon, among many others.
-Last week, a major vulnerability was found in Log4j, which has put millions of devices at risk. Several cybersecurity researchers state that the Log4j software flaw allows attackers to gain uncontrolled access to computer systems.
- The US government's cybersecurity agency issued a warning against the vulnerability.
-Reports suggest that the vulnerability has impacted a wide range of products from Apple, Twitter, Minecraft, Amazon, and many other platforms. What is even more concerning is that researchers believe all platforms or devices that use Log4j are potentially a target for attacks, which can trigger remote code execution (RCE).
-Termed as Log4Shell or CVE-2021-44228, it is said to be one of the severe security risks on the internet to date, and that's because it affects all versions of Log4j. This also includes Log4j version 2.0-beta-9 to version 2.14.1, which suggests that a wide range of platforms / devices using Log4j are exposed to the vulnerability.
-As per Sean Gallagher, a senior threat researcher at Sophos, "Log4Shell is a library that is used by many products. It can therefore be present in the darkest corners of an organization's infrastructure, for example, any software developed in-house. Finding all systems that are vulnerable because of Log4Shell should be a priority for IT security."
- Apache Logging Services stated in its blog post that the vulnerability was discovered by Chen Zhaojun of the Alibaba Cloud Security Team. According to the Common Vulnerability Scoring System or CVSS, Apache team ranked the vulnerability at number 10, which clearly suggests that the Log4Shell is among the most "Critical" vulnerabilities of all times.
-As per the cybersecurity firm LunaSec, several services are vulnerable to the Log4Shell including gaming service Steam, Apple iCloud, Minecraft, and more. Additionally, on Github, the list of companies impacted by the vulnerability include -- Apple, Tencent, Steam, Twitter, Baidu, DIDI, JD, NetEase, CloudFlare, Amazon, Tesla, Google, Webex, LinkedIn, among others.
-Microsoft's Minecraft has already issued a statement on the security risk and said that users must update the game to avoid getting impacted. Minecraft said in the official statement that the Minecraft Java Edition is impacted and chances of computers getting compromised are high. The company said that the exploit has been "addressed with all versions of the game client patched."
It further noted that users will need to take additional measures to secure the game and servers. Those who are not hosting Minecraft Java Edition on their servers will need to shut all running instances and the Minecraft Launcher and restart the launchers and the "patched version will download automatically." Several other companies such as Paper are also sending patches to fix the issue.
-The vulnerability has reportedly been fixed now with the rollout of the Log4j 2.15.0 update. Security experts advise all IT teams to look up for codes written in Java in their network and check whether they use the Log4j library and update it as early as possible.