A newly discovered vulnerability in Java-based software could potentially affect millions of devices around the world, the Department of Homeland Security warned in a briefing this week. The vulnerability is in a popular logging library called “Log4j,” which is used by many large corporations like Apple, Amazon Web Services, and Cisco.
The Cybersecurity and Infrastructure Security Agency (CSIA) released an official statement warning the general population about the vulnerability.
“We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity,” writes CSIA director Jen Easterly. “We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies — and signals to non-federal partners — to urgently patch or remediate this vulnerability.”
Easterly calls upon hardware and software vendors to prioritize finding a fix for the vulnerability, which is reportedly being exploited already by hackers. Some have even managed to create software that searches for affected systems and automatically spreads malware, similar to last year's SolarWinds attacks.
Sorry, Log what now? — The vulnerability in question exists in Log4j, an open-source Apache logging framework — in other words, it’s designed to track and note every activity completed by an application. It’s used all around the world by a diverse set of companies for this purpose.
As Wired explains, the Log4j vulnerability is very, very easy to exploit. All a hacker needs to do is send a single string of malicious code, which then gets logged by Log4j. Then the hacker can just... take control of the server. That’s all it takes.
Some have already found creative new ways to set off this very attack. Some Minecraft players have reportedly been doing so with the in-game chat system; Twitter users started changing their usernames to strings that could set off the exploit; at least one person has changed their iPhone name to do the same. Even an email could set it off.
So…what can I do? — This exploit is bad. Like bad bad. It’s super easy to utilize for malicious purposes and used by so very many companies.
If there’s any good news, it’s that top cybersecurity researchers are hot on the trail of a fix. Apache has already released a Log4j patch that should slow the spread of the exploit’s usage, though it’s only compatible with the most modern versions of Java.
The bad news: There’s not much the average internet user can do to protect themselves. This is something corporations will need to fix up. The best thing we, as the public, can do is to keep abreast of news related to the exploit and follow any instructions dictated by software companies and network admins.
Cybersecurity experts — both private ones and those employed by the government — are working at full throttle to stop this exploit in its tracks. We can only hope the cybersecurity community learns from the experience and puts preventative measures in place so it’s less likely to happen again in the future.