The internet has been melting down about a vulnerability discovered in the Apache log4j component – and for good reason.
Don’t like reading, skip to the bottom and watch the video I recorded that explains everything 🙂
What is log4j?
Log4j is a library that helps software developers build in logging into their application without having to write that part of code. Libraries are used a lot in software to help shortcut programming efforts, so it’s not abnormal to use existing solutions to meet a need.
Think of logging like the software keeping a diary or journal. They usually record time stamped entries that outline various activities of the application, whether they be security related (who accessed what, who logged in from where), how the software is behaving, and any error information to help technical people problem solve issues with the software.
Log4j is leveraged by a LOT of vendors and software applications and because it is embedded deep within the software you really can’t tell on the surface whether it is or isn’t used. If the software was written using the Java programming language, which is a very popular language, chances are it’s been leveraged.
We know from experts in the field that the following vendors use log4j in their solutions:
- Apache applications (e.g. Struts, Solr, Druid)
- Video games (e.g. Minecraft)
The list goes on. There is valid reason why media is jumping up and down about this and people are working around the clock to patch or remediate the issue.
What is the vulnerability?
Basically log4j supports the ability to import code from a web address, if it’s formatted in a particular way. This again isn’t an uncommon feature to have. Your website (and this website) import pieces of software code from other web addresses – like fonts and style sheets.
The problem is that if you trick log4j into importing some malicious code, it will download it and execute it. In theory you could trick a system running log4j into downloading and running malware which may be a Remote Access Trojan (RAT), Ransomware, or anything else you can think of.
How is the vulnerability triggered?
Here’s the brilliant part. If the application using log4j has a web interface (most do these days), you may be able to enter the malicious url into any form (text input) in the web application’s interface.
Think entering something funky like www.malciousdomain.com/ransomware.payload.txt into the contact form on a website.
It’s that simple.
It’s already been weaponized!
We’re already seeing activity from threat actors using this vulnerability to push crypto miners, botnets and remote access trojans – so it’s only a matter of time till we start seeing this little fella turn up in the news as being responsible for a serious cyber attack against something critical.
What can you do?
We’ve built out playbooks to help identify vulnerable applications and check to see whether they have been compromised. So if you need help, reach out!
Otherwise you should:
- Check with your software and hardware vendors if they have published information on whether their products or solutions are vulnerable to this exploit
- Update all software and hardware
- Block access from the internet for any software or hardware you can’t update, or hasn’t published information on this
Too Long, Didn’t Read? Or just don’t like reading.
In this quick video I answer a few questions
- What is log4j
- Where and who uses log4j
- What is this vulnerability that has the internet melting down
- Why you should be concerned
- What you can do to protect yourself