Apache: What is Log4Shell? Why is it the worst computer vulnerability of the decade? | Technology


Alexander Limbach (Getty Images/iStockphoto)

On November 24, researcher Chen Zhaojun, from Alibaba Cloud Security Team, found a weakness in Log4j, a popular tool from the open source giant Apache that is present in countless web pages and applications. The vulnerability, dubbed Log4Shell, allows a potential cybercriminal to remotely execute code on someone else’s computer. Among the risks that can sneak through this ajar and hitherto unknown door are computer viruses that allow the hijacking of data or enable spying systems, among others.

According to Bloomberg, Zhaojun rushed to contact Apache, but kept his discovery secret in order to give its developers room for a response. “Please hurry up,” he wrote after a few days. The urgency was pertinent. Log4Shell has been classified as the most critical vulnerability of the last decade, not so much for its complexity as for the fact that the use of this library is so widespread that it is impossible to determine how many entities it affects. The problem is what is known as a “zero day” vulnerability, which identifies those security gaps for which a patch has not yet been designed. Any system that incorporated Log4j before the updates began to arrive is exposed.

The official announcement of the existence of Log4Shell, which arrived on December 9, unleashed a race in opposite directions: from one extreme, companies and administrations from all over the world rushed to secure their systems; From the other, gangs of cybercriminals of the stature of Conti – one of the main operators of computer kidnappings worldwide – rushed to get their share before the situation was under control. The competition continues.

1. What is Log4j?

Log4j is an open source library (open source) created by Apache Software Foundation. Features of this type include out-of-the-box features that allow programmers to work faster, without having to build everything from scratch. Thousands of developments integrate this tool into their own programs to monitor their activity. “It is almost universal”, sums up Eusebio Nieva, technical director of the cybersecurity company Check Point Software for Spain and Portugal. The information contained in the logs generated by Log4j can be used, for example, to find errors in the performance of the program they are monitoring.

See also  Katie Price faces jail in drink-drive smash sentencing today

The enormous diffusion of this library is justified by the importance of Apache in the world open source and the fact that Log4j is aimed at developing applications in Java. This programming language, present in applications and web pages, is according to the latest Stack Overflow survey the fourth most used worldwide, only behind Javascript, Python and SQL.

2. Why is a vulnerability like Log4Shell so dangerous?

This vulnerability could allow a third party to remotely execute code on someone else’s computer. What can you do with such a power? “Ancha is castilla”, sums up José Rosell, managing partner of the S2Grupo company, specialized in cybersecurity and mission-critical systems operations. The possibility of entering commands in the attacked machine would allow, for example, to download a computer hijacking virus with which to infect and encrypt the computers on the network; or simply spy. “What we have is a vulnerability that allows us to enter one or more computers in the organization. From there you can use the classic attack techniques ”.

The main problem and what makes this vulnerability the worst of the decade is the widespread use of this library. “There have been much more sophisticated vulnerabilities, the problem with this is the exposure surface. Every time I think about it, my hairs stand on end ”, admits Rosell.

Leveraging Log4Shell is a relatively easy task to contribute to the disaster potential of Log4Shell. “To exploit these vulnerabilities, all that is needed is a small amount of Java code, readily available from published proofs of concept, and a tool that is capable of manipulating the content of web requests or other internet traffic that may be registered by the software target of the attack ”, specifies Sean Gallagher, principal investigator of threats of the firm of cybersecurity Sophos.

3. Who is affected?

See also  Ukraine visa process slammed as 'shambolic' by Lanarkshire man trying to bring wife home

The versatility of Java and the ubiquity of Log4j in developments that use this language place this vulnerability in all types of systems. “From the router that you have at home, even the mobile application that you have to access your bank account, going through the programs that you can have implemented in a car ”, lists the S2Grupo spokesperson.

Although lists of vendors whose products make up Log4j are being drawn up, Apache insists that it is impossible to know exactly its true scope. “Any figure would be pure speculation and probably wrong by a large margin,” they state on the foundation’s blog.

4. What consequences has it had so far?

At Check Point they had detected nearly three million attempts to exploit the vulnerability until last Friday. More than 46% of these came from known malicious groups. “And these are only the ones we have seen,” Nieva clarifies.

The security firm Netlab also found, within days of knowing the vulnerability, software malicious code from ten different families spreading through Log4j. These include crypto miners such as Kinsing, who use the resources of infected machines to extract cryptocurrencies, or botnets like Muhstik, who integrate the teams into a network with which the cybercriminal can orchestrate other attacks.

For Rosell, the worst possible scenario is an escalation of cybersecurity incidents that ends up saturating the response capacity of companies like his: “Now it is not that it is a dish of good taste, but we are going at cruising speed. The fear we have is that it will not have time to patch quickly enough to avoid a flurry of attacks. “

5. How can the vulnerability be fixed? Who should do it?

Apache accompanied the announcement of the vulnerability with the publication of the first patch aimed at correcting it. Since then, two more updates have been released that extend protection and complicate the use of Log4j by cybercriminals. Systems with the latest versions built in should be safe.

The ball is now in the court of the countless companies and institutions whose computer programs (commercial or custom-made) can incorporate an old version of the bookstore. “First, companies have to know which of the programs they have is vulnerable, and the developers of that software they have to release new versions that customers can install. Companies that have created their own internet applications using Java components will have to check and update the Log4j code in any of those applications, ”Gallagher details.

See also  Tony Singh opens Radge Chaat at St James Quarter's Bonnie & Wild - we meet the chef

End users are responsible for ensuring that we are up to date in the security section of our devices and their applications. Although many of them will be done automatically and in the background, it is possible that in some cases you will be notified that there are pending processes. “That all the updates that are requested of mobile operating systems, tablets and computers are made as soon as possible”, urges Rosell.

6. When can the situation be considered controlled?

“Never,” Rosell sentenced. Once again, the wide dissemination of this library makes it utopian to expect that 100% of the entities that use it will install the relevant patches. It is reasonable to expect that large organizations will invest the necessary resources in neutralizing the threat in the short term and that this dissipates somewhat the risks associated with Log4Shell. However, the wait can drag on into eternity for smaller entities that do not have the means to take action or for those that are even unaware that Log4j is part of their systems.

“Unfortunately, there are hundreds of vulnerable products, and companies may not discover all of their vulnerabilities for a few months, if at all,” says Gallagher. In fact, these vulnerabilities typically continue to be exploited by criminals for up to several years after they have been identified.

You can follow EL PAÍS TECNOLOGÍA at Facebook Y Twitter or sign up here to receive our newsletter semanal.




elpais.com

Related Posts

George Holan

George Holan is chief editor at Plainsmen Post and has articles published in many notable publications in the last decade.

Leave a Reply

Your email address will not be published.