Major Security Vulnerability Triggers Worldwide Internet Crisis

The Log4j code vulnerability has the media declaring the Internet in a state of crisis. Log4j is a Java-based logging framework developers use to track user activity within applications on the popular Apache web server. Security experts are rushing to patch the bug, which is being exploited to remotely assume control of vulnerable systems, stealing credentials, installing malware and launching other attacks that permeate consumer devices. Last week, the U.S. Cybersecurity and Infrastructure Security Agency issued a Log4j alert, as did Australia’s CERT emergency response team.

CRN has put together a list of large web service companies affected by the Log4j crisis with detailed notes as to which configurations are impacted. Amazon Web Services, Broadcom, Cisco and IBM are among those CRN lists as scrambling to advise customers how to deal with the issue. It should be noted that JavaScript — relied on by 97 percent of websites for browser display, per W3Techs — is a separate coding language that is unaffected.

CRN estimates that as of December 2021 about 3.8 percent of websites use Java, but many are enterprise players with voluminous consumer touchpoints; among them LinkedIn, Adobe and Twitter. CISA estimates “hundreds of millions of devices are likely affected,” reports Wired. “The hard part will be tracking all of those down.”

Attackers are exploiting the Log4j flaw by sending a malicious code string that version 2.0 or higher of Log4j eventually log, allowing the malevolent party to control the targeted computer. “It’s a design failure of catastrophic proportions,” Free Wortley, CEO of the data security firm LunaSec, told Wired.

Cloudflare CEO Matthew Prince found the problem so severe the company is rolling out some protection for even those who use its free tier of service. Wired says the vulnerability can even potentially be exploited using email.

In 2015 IDG reported Java as “the biggest vulnerability for U.S. computers.” This year, Microsoft unveiled a new version of its online game “Minecraft” with no outward-facing Java code. Microsoft is providing patch instructions for those using the original Java Edition of its “Minecraft” online game.

Oracle, which technically owns Java and continues to license newer versions, says that even websites that don’t require log-in credentials can be exploited and offers advice on Log4j fixes. The Apache Software Foundation distributes the Log4j app free. Apache rates the problem “critical” and has published its own patches and mitigation tips.

Related:
Log4j Exploits Attempted on 44% of Corporate Networks; Ransomware Payloads Spotted, VentureBeat, 12/14/21
‘Less Obvious’ Uses of Log4j Pose a Major Risk, VentureBeat, 12/13/21