What is Log4J vulnerability? All about logging library that has affected digital systems

A few days ago, cyber researchers and experts around the world warned about a zero-day vulnerability in the Java logging library called Log4j. It puts some of the biggest services in the world such as Amazon, Twitter, and Apple iCloud at risk. According to Robert Joyce, director of cybersecurity at the United States National Security Agent, the Log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks.

The vulnerability is largely being called 'Log4Shell' and the name of the Java logging system where it has been found is 'log4j2'. It is referred to as a zero-day vulnerability as bad actors or hackers might have known about it before it was discovered by researchers and experts around the world. Additionally, it might have been exploited without any record or information, making it even more dangerous. 

What is Log4J vulnerability?

Log4j is a Java package that is located in the Java logging systems. As it was vulnerable to illegitimate access by bad actors and hackers, it is being anticipated that it might have been used to access data. The bug makes several online systems built on Java vulnerable to zero-day attacks. If it is exploited by bad actors, it will allow remote code execution (RCE) and allow to download of malware via exposed servers. Since the bug affects companies and services that have millions of customers (and their data), it puts a myriad of servers and machines at risk. 

Various reports suggest that majorly all the versions of the logging package have been affected. The versions range from 2.0-beta-9 to 2.14.1. While a fix has already been released by Apache, it will be difficult for all the servers that use the software to update to the latest patch. Apparently, this makes it one of the biggest cybersecurity threats ever. According to a report by TechCrunch, global companies like Apple, Amazon, Twitter, Cloudflare, Baidu, NetEase, and Tencent are affected by the zero-day vulnerability. Additionally, the popular online game, Minecraft, is a platform where exploitation has been active as some users have been able to control other users systems

Companies such as Cisco and Microsoft have already published advisory documents about the issue. Several software developers have released fixes for the vulnerability last week. However, the complete removal of the bug involves thousands of computers and servers to put the new Java logging system in place, which might be a little difficult. The bug allows hackers to take control of a system and all the information on it. Various companies that manufacture antivirus solutions for computers have reported that their products are detecting multiple infections of the Log4j Java issue.