1. Analysis
August 1, 2022

Log4j is a pervasive vulnerability. Update your devices now

A hole in a popular piece of code is an open window for criminals.

By Jake Mainwaring

Log4j is an piece of open-source code enabling system administrators to handle and record errors. However, a disastrous vulnerability in the protocol has made masses of systems susceptible to cyberattacks.

The zero-day vulnerability termed ‘Log4Shell’ takes advantage of Log4j’s allowing requests to arbitrary LDAP (Lightweight Directory Access Protocol) and JNDI (Java Naming and Directory Interface) servers, allowing attackers to execute arbitrary Java code on a server or other computer, or leak sensitive information.

In other words, hackers can exploit Log4Shell to install malicious software or enable data theft. Because of the Log4j’s omnipresence, the threat is global and massive.

“Log4j is almost certainly part of the devices and services you use online every day”, the UK National Cyber Security Centre warns.

It is unsurprising that the cybersecurity watchdog regards Log4Shell as “[potentially] the most severe computer vulnerability in years.”

Hong Kong-based online retailer Alibaba first reported the vulnerability to Apache, the platform housing Log4j, on November 14, 2021. The NCSC issued a warning to alert businesses on December 10.

Despite the severity, Log4Shell remained under the radar for eight years. Apache released the unsafe Log4j v2 on 12 July 2014.

Why Log4Shell is such a big risk

The challenges with patching Log4j pale in comparison to the risks of leaving things as they are.

When errors like “404 not found” appear online, Log4j records information about the user. The record gets transferred to a database for review by the system administrator.

Criminals can easily exploit Log4j to request private information from the database or inject malicious code. They do this by disguising instructions as user information.

Malicious instructions reaching databases have resulted in “[an] onslaught of malicious connection attempts into botnets, forced cryptocurrency mining and execution of ransomware,” according to Jamie Smith, board member and head of cyber at S-RM, a global intelligence and cybersecurity consultancy.

Along with a loss of trust and dangerous consequences for customers, organisations that mishandle data can be hit with steep fines.

Although individual users usually can’t access the source-code, we can protect ourselves by hastily installing the latest updates.

Can’t Apache just issue a patch?

They have, but Log4j does not patch automatically. Software engineers should install the patch ASAP, although it is likely not to be so straightforward.

It can be difficult to determine if a system uses Log4j.

“[A] straightforward search to determine if you’re using a vulnerable version of Log4j is not necessarily going to find all occurrences of the library in your projects” Liran Tal, director of developer advocacy at the security service Snyk, tells Verdict.

Large programs often contain code that the company did not write, making finding and patching Log4j costly and time-consuming.

What makes matters more difficult is that Log4j is an extremely popular open-source protocol. Engineers can incorporate open-source code into systems for free, so Log4j can lie deeply nested and undetected within large systems.

“The most commonly experienced impact of Log4j was the need for IT and security teams to work over the holidays to assess risk and make critical changes to protect infrastructure and data” a survey by the Neustar International Security Council, an elite group of cybersecurity leaders, reported in January.

Due to the challenges with communicating and implementing the patch, “vulnerable instances of Log4j will remain in systems for many years to come, perhaps a decade or longer” according to the US Department of Homeland Security.

However, governments grow impatient. UK and US lawmakers have suggested companies could be fined for failing to secure against Log4Shell.

Back to open-source code

Criminals are free to view, test and then exploit vulnerabilities in open-source code.

So, why do companies keep using it?

Alongside the cost and time effectiveness, in theory open-source code has the advantage of many wealthy users with eyes towards security.

In practice, however, a lack of diligence has resulted in the Log4Shell disaster.

We reported back in 2019 that much of open-source software contains hidden vulnerabilities.

In an effort to tackle this trend, the US Cyber Safety Review Board has released recommendations for improving open-source security. Google has endorsed the suggestions.

One such recommendation says that companies should “commit financial resources toward the open source projects that they deploy”.

GlobalData is the parent company of Verdict and its sister publications.