Critical security gap Log4Shell – software error makes many servers and apps vulnerable

The Log4Shell security gap allows attackers to hijack vulnerable servers using manipulated requests. (picture alliance / dpa | Sebastian Gollnow)

What makes this vulnerability so dangerous?

The Log4Shell vulnerability involves faulty code from a Java library called Log4j. Many commercial software packages use this library to keep track of who is using this software and who is accessing which servers. This is explosive for four reasons:

  • The IT systems that Log4j use can be accessed very easily via the security gap. With a command code of 30-40 characters, the attacker can spy on such systems, take control and, for example, install ransomware to extort ransom.
  • An unbelievable number of software manufacturers use the Log4j library, because it is open source, i.e. available free of charge and usable without license fees.
  • Log4j is used to log access, so it is management software with a guard function. And if you can manipulate the guard, switch it off, you have quick access to the system – unless there are additional security measures.
  • Many software manufacturers have simply taken over the Log4j library without further testing and without additional security measures – even for IT solutions that are sometimes used in critical infrastructures.

Where is Log4j used everywhere?

Worldwide. The special attorney’s mailbox at German courts, for example, had to be taken out of service, and faxing is now being done there again. The library is popular with all major IT companies, for example Amazon, Google, IBM, Tesla, Twitter and Cloudflare. Camera surveillance systems also work with it, QR code scanners and smart home applications such as door locks. Also a lot of configuration service providers who set up and manage IT systems for other companies. Log4j can also be found in many home offices: It is used there to manage WLAN access. So the faulty library is really extremely widespread.

Have there been any successful attacks?

Yes. Various computer emergency teams have reported successful attacks, and the BSI has also confirmed some. However, most of these accesses via this security gap are currently likely to come from security experts who want to look exactly where the problem lies. IT professionals assume that some computer networks will soon be paralyzed by a ransomware attack, with the ransomware being infiltrated via this security hole. There are indications that this loophole has been exploited since December 1, 2021. A larger wave of system failures can therefore be expected in the medium term.

How can such attacks be warded off?

The security gap must first be closed quickly. The manufacturers of software products that use the Log4j library must then issue security updates for their software. In some cases this already happened at the weekend, in other places the manufacturers are currently working feverishly on such updates. And a certain number of manufacturers are currently still checking whether parts from the Log4j library may have been used in their products. So it will take a while until we know more details.

How should consumers react to the vulnerability?

Ordinary users can do little at first. The software manufacturers and IT security service providers are now called upon to do so. As a first aid measure, some security companies have built filters for command sequences with which the security gap can be exploited. Larger companies already initiated the usual emergency measures at the weekend: access restrictions. Divide and segment networks so that the entire company network is not immediately affected if such an attack succeeds, restrict access rights, as well as incoming connections and executable commands and programs. However, all of these measures naturally also restrict the use of the systems and are not very popular with users.

Log4J is open source software. Isn’t it as safe as you thought?

Open source means that everyone can look at it and find bugs. Therefore, more errors are found faster. But that doesn’t mean that open source software is without security gaps. Log4J is open source software from the Apache Software Foundation. Two supervisors are financed part-time through sponsorships. Anyone who uses such a library in software products for critical areas of application must absolutely check how the library behaves in their product and incorporate downstream security routines. But unfortunately there is often neglect for cost reasons. That is negligent.

Leave a Reply

Your email address will not be published. Required fields are marked *