The entire technology industry received a sizable lump of coal in their collective stocking earlier this week in the form of two major security vulnerabilities in a widely-used software tool. Here’s a quick breakdown of what it means for internet users.
What is Log4J?
Log4J is an open-source software tool used to log activity on internet-based services and software. Logging software is typically the first thing a developer or technician will check in the event of an unexpected outage or error, as it can help pinpoint the source of the problem relatively quickly and easily.
The ease of use and utility of Log4J has made it ubiquitous on servers and enterprise networks across the internet. Unfortunately, a massive security vulnerability was discovered that allows hackers to gain entry to any server running the software and effectively take control of it via remote code execution.
Is the vulnerability patched?
Apache is the open-source organization responsible for development of Log4J. They quickly released a software patch to address the vulnerability. Unfortunately, the patch itself contained another security vulnerability, which has also been patched.
As of this writing, a third vulnerability has also been discovered.
How bad is it?
In short: extremely. The severity of the vulnerability combined with the widespread use of the software means that hackers have countless targets online to exploit in the months to come. The timing of the discovery of the vulnerability also works against organizations; many IT teams and cybersecurity personnel who would typically be working to apply patches and mitigate would-be cyberthreats often work with skeleton crews over the holiday season. The combination of these three factors represents a worst-case scenario.
Additionally, the widespread use of Log4J means that it can be difficult to keep track of where it’s deployed. It’s used everywhere, so it can be a problem anywhere.
“Log4j is so prevalent – utilized by millions of third-party enterprise applications, cloud services and manufacturers, including Apple, Twitter and Tesla – that security teams may have difficulties pinpointing where the library is actually being used,” observed cybersecurity firm Duo Security.
What can the average internet user do?
Unfortunately, there isn’t much that can be done by laypersons; the Log4J vulnerability needs to be addressed and patched by server and system administrators. For now, the best advice is to continue to use best practices and good cyber hygiene and hope for the best.