Cybersecurity experts have called a recently uncovered software flaw, potentially affecting businesses and individuals worldwide, the “most critical vulnerability of the last decade”.
The “Log4Shell” flaw was uncovered within the open-source logging tool Log4j. Log4j is widely used in cloud servers and enterprise software around the world and for popular games, including Minecraft.
While the initial issue was fixed within days, another vulnerability in Log4j – the third in recent weeks – was discovered on 17th December. As a result, all platforms that use Log4j are encouraged to update to the latest available version of the tool, which will include all recent and up-to-date patches and fixes.
What were the problems with Log4j?
The vulnerability found within Log4j was so severe that it made it possible for anyone with even a basic knowledge of programming – let alone sophisticated cybercriminals – to access internal networks. Once inside a network, anyone could then steal, corrupt, or erase data, plant malware, or hijack systems as part of a ransomware attack, among many other things.
In the immediate hours after the flaw was discovered and became public, many threat actors had already developed and deployed tools and programs to exploit it.
Adam Meyers of Crowdstrike told The Guardian: “The internet’s on fire right now. People are scrambling to patch, and all kinds of people [are] scrambling to exploit it.”
Meanwhile, Joe Sullivan, Cloudflare’s chief security officer, told the newspaper: “I’d be hard-pressed to think of a company that’s not at risk.”
Although millions of worldwide servers and services use Log4j, the full extent of the damage caused by threat actors is unknown at the time of writing, with no major organisations reporting falling victim to a hack as a consequence of the vulnerability. However, some commentators have gone on record saying it will take years to fully address and secure this flaw. As such, while stories about specific vulnerabilities may go away, we could be seeing the fallout of this issue for some time to come.
Tenable CEO Amit Yoran told The Guardian the issue was “the single biggest, most critical vulnerability of the last decade.” Yoran went even further, saying it was possibly the biggest flaw in the history of modern computing.
What made this flaw so dangerous?
The most significant issue was the ease with which servers could be accessed. All anyone needed was the exploit – not a password or any other means of gaining access – and they could get their hands on all the data they wanted. Any unpatched computer using Log4j was at risk.
The first Log4j vulnerability was first reported to the Apache Software Foundation by Alibaba on 24th November. It took two weeks to develop and release a fix, although the vulnerability only became public hours before the fix was released. Still, such a short time span didn’t stop cyber criminals from trying to take advantage.
An easy fix, in some cases
An added complication relating to the Log4j flaw is how it is used worldwide.
In many cases, enterprise organisations and cloud service platforms like Amazon Web Services could update and patch their servers with relative ease. However, the tool is also embedded in many third-party apps and programs. These will only be updated once their owners or publishers do so, leaving many users unwittingly at risk in the meantime.
Yoran told The Guardian that every organisation using Log4j should assume they were at risk and quickly take remedial action.
Flaw quickly exploited via Minecraft
Shortly after the vulnerability was discovered, there were already reports of Minecraft gamers being breached via the sending of messages through its in-game chat.
Microsoft quickly issued a software update for Minecraft and said all users who applied the update were protected against the flaw.
Other global brands, including Apple, Amazon and Twitter, didn’t immediately comment on the issue, but all subsequently released updates to their vulnerable platforms and products in the days following the flaw being publicised.