A hole in A widely used logging library has become a full-blown security crisis, affecting digital systems on the internet. Hackers have tried to exploit it, but even if fixes appear, researchers warn that the vulnerability could have dire consequences worldwide.
The problem lies with Log4j, a popular, open source Apache logging framework that developers use to keep a record of activity within an application. Security responders are trying to patch the bug, which can easily be exploited to remotely control vulnerable systems. At the same time, hackers are actively scanning the internet for affected systems. Some have developed automated tools for exploiting bugs, as well as worms that can spread independently from one vulnerable system to another under the right conditions.
Log4j is a Java library and although the programming language is less popular with consumers these days, it is still very widely used in enterprise systems and web applications. The researchers told WIRED on Friday that they expected many mainstream services to be affected.
Example: owned by Microsoft Minecraft on Friday posted detailed instructions on how players with the Java version of the game should patch their systems. “This exploit affects multiple services — including Minecraft Java Edition,” the post reads. “This vulnerability puts your computer at risk of being compromised.” Cloudflare CEO Matthew Prince tweeted Sixth, the problem is “too bad” so the internet infrastructure company will try to implement at least some protection even for customers on its free service level.
All an attacker has to do to exploit gap is to strategically send a string of malicious code that is eventually logged using Log4j version 2.0 or higher. The exploit allows attackers to load arbitrary Java code on the server, giving them control.
“It was a design failure of catastrophic proportions,” said Free Wortley, CEO of open source data security platform LunaSec. Researchers at the company published a warning and the initial assessment of the Log4j vulnerability on Thursday.
Minecraft Screenshots circulating on forums seem to show players exploiting security holes from Minecraft chat function. On Friday, some Twitter users began changing their display names to strings of codes that could trigger the mining. Other users changed his iPhone’s name to do the same thing and send the findings to Apple. The researchers told WIRED that the method could also work using email.
US Cybersecurity and Infrastructure Agency give a warning about the security hole on Friday, as Australian CERT. New Zealand Government Cybersecurity Organization alarm note that the vulnerability is being actively exploited.
“It’s pretty bad,” Wortley said. “A lot of people are vulnerable, and this is very easy to take advantage of. There are some mitigating factors, but this being the real world, there will be many companies that aren’t in current releases scrambling to fix this. “
Apache rates the vulnerability as “severe” and published patches and mitigations on Friday. The organization said that Chen Zhaojun of the Alibaba Cloud Security Team first disclosed the security flaw.
