In late November, a cloud-security researcher for Chinese tech giant Alibaba discovered a flaw in a popular open-source coding framework called Log4j. The employee quickly notified Log4j’s parent Apache Software Foundation, a group of volunteer programmers who maintain the framework. The message, which was obtained by Bloomberg News, was clear: hackers could exploit this vulnerability to carry out destructive cyberattacks across the globe, by taking control of targeted computers with remote code execution. This threat “has major impact,” the employee wrote.
With disaster seemingly imminent, cybersecurity experts were suddenly racing the clock to patch the opening before hackers could get to it. But the whole operation was still hush-hush until last week, when the first public case emerged: Minecraft, the best-selling video game of all time, published a blog post revealing a version of the game had a flaw that could let hackers take over players’ computers, and urged users to download a rushed security update. The Log4j vulnerability was now disclosed, putting the entire cybercommunity on high alert.
Here’s what to know:
What exactly is the Log4j vulnerability?
Log4j is a logging framework, meaning it lets developers monitor or “log” digital events on a server, which teams then review for typical operation or abnormal behavior.
The vulnerability, dubbed Log4Shell, results from what coders call improper input validation. Typically, software should safeguard against data coming from untrusted users online, but the flaw allows it through, which can then let data supplied by untrusted outsiders manipulate the server’s actions. According to British security developer Sophos, that could mean anything from leaking information online or automatically installing malware.
What’s the crisis level?
High. Log4j, a Java library, is very widely used, including in applications from Amazon, Microsoft, IBM, Google, Cisco, Twitter, Steam—and even the United States Cybersecurity and Infrastructure Security Agency. Hence, the flaw is an opportunity for hackers to let themselves in to millions of computer systems worldwide, wreaking untold havoc.
It seems to have already begun with a ransomware hit on workforce management platform Kronos that could delay payrolls, which analysts suspect is linked to Log4Shell. Other reports of exploits include hijacking computing power to mine cryptocurrency, and armies of zombie botnets recruiting more machines into their ranks. And there are further reports that hackers have been mass-scanning servers in order to thumbprint vulnerable systems.
What’s being done about it?
It’s up to companies to engineer patches for the bug, ideally before hackers can exploit it in the wild. Many companies, including Amazon, Microsoft, IBM, and Google, have said they are already investigating or working to deploy fixes. However, a major headache—and what has cybersecurity experts so frantic—is that many companies may not even know they were built with Log4j, as programs are often developed with multiple components pulled from various sources. It’s a problem that a recent White House order, which establishes a so-called “software bill of materials,” hopes to solve, by requiring companies that sell software to the government to list all of the bits and pieces.
But experts predict it will take months, or even years, to clean up the mess created by the Log4j vulnerability. That would involve updating all affected systems with patched versions. Even then, it’s possible that some hackers who infiltrated systems earlier could have installed backdoors to access the servers even after they’ve been patched.
Is anyone to blame?
Not really. Some are firing shots at Apache, claiming that the flaw should have been identified and fixed as early as 2016, when researchers presented a method to exploit a class of software including Log4j at the Black Hat cybersecurity conference.
However, the situation has also spotlighted the fact that vast swaths of modern software are built with open-source programs maintained by unpaid volunteers—who may be juggling a number of other responsibilities—and has raised questions about what we could do to lessen the drawbacks of that practice.