The end of another week, come last Monday morning, you sat at your desk, turned on your computer as normal, without ever being concerned with a vulnerability to Log4j. If that describes you, or your organisation, count yourself lucky, but stay alert.
For the last week, the world of computing, especially cyber security, has been scrambling to protect the internet from a software flaw that all agreed was “the most critical vulnerability of the last decade.”
You may not have heard of Log4j, but the chances are that you may be using the software even at this very moment. Every bit of software we use, keeps records, or logs. Most software developers use an open source logging system, Log4j. The system is operated by Apache Software Foundation, an American non profit corporation, that supports open source software projects.
On the 9th December, a member of Chinese company Alibaba’s cyber security team, Chen Zhaojun, discovered a vulnerability to Log4j, which he promptly reported to Apache Software Foundation. The vulnerability, listed as CVE-2021-44228, was first discovered in the video game, Minecraft.
The flaw allows a malicious attacker, to remotely take control of a targeted server. Shortly after the vulnerability was first reported, Wired, the monthly magazine that focuses on emerging technologies, reported that hackers were already attempting to attack Minecraft. Many more are vulnerable, the software is used by millions of web applications, including Apple’s iCloud. So ubiquitous is Log4j, that potentially anyone who uses the internet is likely to be affected.
America’s Cybersecurity and Infrastructure Security Agency (CISA), thought it sufficiently severe, to call on anyone using the Log4j to take immediate action.
“CISA encourages users and administrators to review the Apache Log4j 2.15.0…and upgrade, or apply the recommended mitigations immediately.”
Since the problem was first reported on the 9th, thousands of IT teams around the world were in a race with hackers, trying to patch up the vulnerability, before hackers got into the systems.
But although many systems are now protected, it may take months before everyone who needs to, applies the recommended solutions. Some servers, especially those that are aging, may never apply the suggested protection.
Open source software is often preferred, because its transparency means that several IT teams can be watching it. The fact that the latest flaw was first detected by a Chinese IT security team, and was immediately communicated to Apache, in America, would seem to be a vindication of that reasoning.