Home Web system What is Log4j? Cybersecurity expert explains the latest internet vulnerability, its severity and its challenges

What is Log4j? Cybersecurity expert explains the latest internet vulnerability, its severity and its challenges


Log4Shell, an Internet vulnerability that affects millions of computers, involves obscure but almost ubiquitous software, Log4j. The software is used to record all kinds of activities that take place under the hood in a wide variety of computer systems.

Jen Easterly, director of the US Cybersecurity & Infrastructure Security Agency, called Log4Shell a most serious vulnerability she saw in her career. There have already been hundreds of thousands, maybe millions of tries to exploit the vulnerability.

So what is this humble internet infrastructure, how can hackers exploit it and what kind of chaos could result?

Cybersecurity & Infrastructure Security Agency Director Jen Easterly called Log4Shell “the most serious vulnerability I have ever seen.”
Kevin Dietsch / Getty Images News

What does Log4j do?

Log4j logs events – errors and routine system operations – and communicates diagnostic messages about them to system administrators and users. It is open source software provided by the Apache Software Foundation.

A common example of Log4j at work is when you type or click on the wrong web link and get a 404 error message. The web server running the domain of the web link you tried to access tells you it doesn’t no such web page exists. It also logs this event in a log for server system administrators using Log4j.

Similar diagnostic messages are used in all software applications. For example, in the online game Minecraft, Log4j is used by the server to record activity such as total memory used and user commands entered into the console.

How does Log4Shell work?

Log4Shell works by abusing a feature of Log4j that allows users to specify custom code to format a log message. This feature allows, for example, Log4j to record not only the username associated with each attempt to connect to the server, but also the real name of the person, if a separate server contains a directory linking usernames. and the real names. To do this, the Log4j server must communicate with the server containing the real names.

Unfortunately, this type of code can be used for more than just formatting log messages. Log4j allows third-party servers to submit software code that can perform all kinds of actions on the targeted computer. This opens the door to nefarious activities such as theft of sensitive information, takeover of the targeted system, and transfer of malicious content to other users communicating with the affected server.

It is relatively easy to operate Log4Shell. I was able to reproduce the problem in my copy of Ghidra, a reverse engineering framework for security researchers, in just minutes. There is a very low bar for using this exploit, which means more malicious people can use it.

Log4j is everywhere

One of the main concerns with Log4Shell is Log4j’s position in the software ecosystem. Logging is a fundamental feature of most software, which makes Very widespread Log4j. In addition to popular games like Minecraft, it is used in cloud services like Apple iCloud and Amazon Web Services, as well as a wide variety of software programs. software development tools at security tools.

Open source software like Log4j is used in so many products and tools that some organizations don’t even know what pieces of code are on their computers.

This means that hackers have a wide choice of targets to choose from: home users, service providers, source code developers, and even security researchers. So while large companies like Amazon can quickly patch their web services to prevent hackers from exploiting them, many other organizations will take longer to patch their systems, and some might not even know they need it.

The damage we can do

Hackers scour the Internet for vulnerable servers and configure machines capable of delivering malicious payloads. To carry out an attack, they query services (for example, web servers) and attempt to trigger a log message (for example, a 404 error). The request includes maliciously crafted text, which Log4j treats as instructions.

These instructions can create a inverted hull, which allows the attacking server to remotely control the targeted server, or they can make the target server part of a botnet. Botnets use multiple hacked computers to perform coordinated actions on behalf of hackers.

A large number of pirates are already trying to abuse Log4Shell. These range from ransomware gangs locking down minecraft servers at hacker groups trying to mine bitcoin and the pirates associated with China and North Korea trying to access sensitive information from their geopolitical rivals. The Belgian Defense Ministry reported that its computers were attacked using Log4Shell.

Although the vulnerability first gained attention on December 10, 2021, people still identify in new ways cause damage by this mechanism.

Stop the bleeding

It is difficult to know if Log4j is being used in a given software system, as it is often supplied with other software. This forces system administrators to inventory their software to identify its presence. If some people don’t even know they have a problem, it makes it all the more difficult to eradicate the vulnerability.

Another consequence of the various uses of Log4j is that there is no single solution to patch it. Depending on how Log4j has been incorporated into a given system, the fix will require different approaches. This might require an overall system update, as was done for some Cisco routers, or updating to a new version of the software, as done in Minecraft, or by manually removing the vulnerable code for those who cannot update the software.

Log4Shell is part of the software supply chain. Like the physical objects that people buy, software passes through different organizations and software packages before reaching a final product. When something goes wrong, rather than going through a recall process, the software is usually “patched, which means fixed in place.

However, since Log4j is present in various ways in software products, the propagation of a patch requires the coordination of Log4j developers, software developers who use Log4j, software distributors, system operators and users. Usually this introduces a delay between the availability of the fix in Log4j code and the fact that users’ computers actually close the door to the vulnerability.

[Over 140,000 readers rely on The Conversation’s newsletters to understand the world. Sign up today.]

Some estimates of software repair time generally range from weeks to months. However, if the past behavior is indicative of future performance, it is most likely the Log4j vulnerability. will arise for years to come.

As a user, you are probably wondering what you can do about all of this. Unfortunately, it’s unclear whether a software product you are using includes Log4j and whether it uses vulnerable versions of the software. However, you can help by considering a common refrain from computer security experts: make sure all of your software is up to date.