A Simple Explanation of the Latest Vulnerability to Hit the Internet - Log4Shell
This blog is a primer on Log4Shell meant to help people that aren’t familiar with the more in-depth technical aspects of security understand what’s happening with this new vulnerability. If you are looking for support for security professionals, please see this blog.
What is Log4Shell?
There is a weakness in a popular software tool used by a large part of the internet, Log4j. When a user inputs certain text into these applications, it triggers something in the tool that gives them total control of the device the software is running on.
To put it more explicitly, Log4Shell is a vulnerability in the logging software Log4j. This vulnerability gives attackers Remote Code Execution (RCE), the ability to run their own code on whatever system they are targeting. RCE is one aspect of what makes Log4Shell so dangerous - it gives attackers a way in and the ability to execute whatever software they want once they are in.
When was it discovered?
Log4Shell was discovered and disclosed to Apache (the organization that manages the Log4j project) on November 24 2021 by members of the Alibaba Cloud Security Team. However, it was not publicly disclosed until December 9. Security teams have been scrambling to make sure they are not affected by this vulnerability since then.
As of this writing, we have yet to see the truly detrimental effects of this vulnerability. That’s for a reason - a vulnerability is not the same as a fully-fledged attack. Attackers are developing exploits so they can take advantage of this vulnerability, but that takes some time. Thus far, they have been exploring this vulnerability, but only really taking advantage of it for cryptominers and botnets. It is likely attackers will use this vulnerability for years to come, with attacks that may leverage ransomware or other attack types.
Who is affected?
In a word - everyone. Millions of applications use Log4j. Applications on the Internet are a complex system of interconnectedness; one application may use several other applications to do certain tasks - like, for example, logging, in the case of Log4j. This means that, while your software may not use Log4j, you may be using someone else’s software that does use Log4j, putting you at risk anyway. It’s turtles all the way down. Therefore, if one piece of software used by MANY applications, such as Log4j, has a vulnerability, then all of the applications that use that software are at risk. It’s Six Degrees of Kevin Bacon, but with software.
Why should I care?
At first glance, this vulnerability may seem a bit disjointed from your daily life - however, because of the interconnectedness of our software, it really isn’t. Given that Log4j is so ubiquitous, this affects many applications that we and our families use on a daily basis, like iCloud, Minecraft, Steam, Cloudflare, and many others. The US federal government has also issued an advisory about this vulnerability. Much like geopolitical events, sports, history, and the latest movies, staying up-to-date on attacks that might affect you, those you know, or the businesses you use on a daily basis gives you context to better engage with our world and society. It also helps you to figure out what businesses are doing a good job protecting your privacy and which ones aren’t.
For a little trivia - most oddly enough - this software is even used for Ingenuity, the Mars 2020 Helicopter mission. First vulnerability in space?
Let me know if you have any questions about this, and I hope this blog helped shed some light on this latest vulnerability.
