A vulnerability in a widely used logging library has become a full-blown security meltdown, affecting digital systems across the internet. Hackers are already attempting to exploit it, but even as fixes emerge, researchers warn that the flaw could have serious repercussions worldwide.
The problem lies in Log4j, a ubiquitous, open source Apache logging framework that developers use to keep a record of activity within an application. Security responders are scrambling to patch the bug, which can be easily exploited to take control of vulnerable systems remotely. At the same time, hackers are actively scanning the internet for affected systems. Some have already developed tools that automatically attempt to exploit the bug, as well as worms that can spread independently from one vulnerable system to another under the right conditions.
Log4j is a Java library, and while the programming language is less popular with consumers these days, it's still in very broad use in enterprise systems and web apps. Researchers told WIRED on Friday that they expect many mainstream services will be affected.
For example, Microsoft-owned Minecraft on Friday posted detailed instructions for how players of the game's Java version should patch their systems. “This exploit affects many services—including Minecraft Java Edition,” the post reads. “This vulnerability poses a potential risk of your computer being compromised.” Cloudflare CEO Matthew Prince tweeted Friday that the issue was “so bad” that the internet infrastructure company would try to roll out a least some protection even for customers on its free tier of service.
All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.
“It's a design failure of catastrophic proportions,” says Free Wortley, CEO of the open source data security platform LunaSec. Researchers at the company published a warning and initial assessment of the Log4j vulnerability on Thursday.
Minecraft screenshots circulating on forums appear to show players exploiting the vulnerability from the Minecraft chat function. On Friday, some Twitter users began changing their display names to code strings that could trigger the exploit. Another user changed his iPhone name to do the same and submitted the finding to Apple. Researchers told WIRED that the approach could also potentially work using email.
The United States Cybersecurity and Infrastructure Security Agency issued an alert about the vulnerability on Friday, as did Australia's CERT. New Zealand's government cybersecurity organization alert noted that the vulnerability is reportedly being actively exploited.
“It's pretty dang bad,” says Wortley. “So many people are vulnerable, and this is so easy to exploit. There are some mitigating factors, but this being the real world there will be many companies that are not on current releases that are scrambling to fix this.”
Apache rates the vulnerability at “critical” severity and published patches and mitigations on Friday. The organization says that Chen Zhaojun of Alibaba Cloud Security Team first disclosed the vulnerability.
The situation underscores the challenges of managing risk within interdependent enterprise software. As Minecraft did, many organizations will need to develop their own patches or will be unable to patch immediately because they are running legacy software, like older versions of Java. Additionally, Log4j is not a casual thing to patch in live services because if something goes wrong an organization could compromise their logging capabilities at the moment when they need them most to watch for attempted exploitation.
There's not much that average users can do, other than install updates for various online services whenever they're available; most of the work to be done will be on the enterprise side, as companies and organizations scramble to implement fixes.
“Security-mature organizations will start trying to assess their exposure within hours of an exploit like this, but some organizations will take a few weeks, and some will never look at it,” a security engineer from a major software company told WIRED. The person asked not to be named because they are working closely with critical infrastructure response teams to address the vulnerability. “The internet is on fire, this shit is everywhere. And I do mean everywhere.”
While incidents like the SolarWinds hack and its fallout showed how wrong things can go when attackers infiltrate commonly used software, the Log4j meltdown speaks more to how widely the effects of a single flaw can be felt if it sits in a foundational piece of code that is incorporated into a lot of software.
“Library issues like this one pose a particularly bad supply chain scenario for fixing,” says Katie Moussouris, founder of Luta Security and a longtime vulnerability researcher. “Everything that uses that library must be tested with the fixed version in place. Having coordinated library vulnerabilities in the past, my sympathy is with those scrambling right now.”
For now, the priority is figuring out how widespread the problem truly is. Unfortunately, security teams and hackers alike are working overtime to find the answer.
- 📩 The latest on tech, science, and more: Get our newsletters!
- The Twitter wildfire watcher who tracks California’s blazes
- A new twist in the McDonald’s ice cream machine hacking saga
- Wish List 2021: Gifts for all the best people in your life
- The most efficient way to debug the simulation
- What is the metaverse, exactly?
- 👁️ Explore AI like never before with our new database
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers
