Updated December 11th, 2021 at 15:43 IST
Amazon, Twitter & more online services at risk due to Java logging system's vulnerability
The zero-day vulnerability is a big threat to several companies and popular internet-based services such as Amazon, Twitter, Apple iCloud and more.
Advertisement
A lot of online services are built using Java, a high-level programming language. It is used as the server language for the back-end development of digital projects such as websites and other systems. Most recently, a vulnerability has been discovered in the Java logging library system. The bug makes several online systems built on Java vulnerable to zero-day attacks. If it is exploited by bad actors, it will allow remote code execution (RCE) and allow to download of malware via exposed servers.
The zero-day vulnerability is a big threat to several companies and popular internet-based services such as Amazon, Twitter, Apple iCloud, the popular online game called Minecraft and Cloudflare. The name of the Java logging system where the bug has been found is 'log4j2 and the vulnerability is called 'Log4Shell''. Since the bug affects companies and services that have millions of customers (and their data), it puts a myriad of servers and machines at risk.
More details about the vulnerability that poses a major risk to the internet
Talking more about the Java logging package which contains the bug, it is called Log4j and has been developed by Apache Software. Reports also suggest that majorly all the versions of the logging package has been affected. The versions range from 2.0-beta-9 to 2.14.1. While a fix has already been released by Apache, it will be difficult for all the servers that use the software to update to the latest patch. Apparently, this makes it one of the biggest cybersecurity threats ever.
According to a report by TechCrunch, global companies like Apple, Amazon, Twitter, Cloudflare, Baidu, NetEase, Tencent are affected by the vulnerability. Additionally, the popular online game called Minecraft is a platform where exploitation has been active as some users have been able to control other users systems by putting small messages in the chatbox. If exploited, the security bug will let a bad actor take full control of target servers by executing the necessary code.
According to Robert Joyce, director of cybersecurity at the United States National Security Agent, "The Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA's GHIDRA." New Zealand's Computer Emergency Response Team has also warned that bad actors and hackers are looking for servers that are vulnerable to the bug. Read what a cybersecurity expert says below.
This log4j (CVE-2021-44228) vulnerability is extremely bad. Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string. So far iCloud, Steam, and Minecraft have all been confirmed vulnerable.
— Marcus Hutchins (@MalwareTechBlog)
In the case of Minecraft, attackers were able to get remote code execution on Minecraft Servers by simply pasting a a short message into the chat box.
— Marcus Hutchins (@MalwareTechBlog)
If you can't upgrade log4j, you can mitigate the RCE vulnerability by setting log4j2.formatMsgNoLookups to True (-Dlog4j2.formatMsgNoLookups=true in JVM command line).
— Marcus Hutchins (@MalwareTechBlog)
Advertisement
Published December 11th, 2021 at 15:43 IST