theconversation.com Open in urlscan Pro
151.101.194.132  Public Scan

Form analysis
2 forms found in the DOM

/search

<form action="/search">
  <input type="text" name="q" placeholder="Search analysis, academics…">
  <button type="submit" aria-label="Search"><span class="icon-search"></span></button>
</form>

GET /europe/search

<form class="masthead-search" action="/europe/search" accept-charset="UTF-8" method="get">
  <fieldset>
    <legend>Search</legend>
    <div class="row">
      <div class="input-wrapper">
        <label for="q"><i class="icon-search"></i></label>
        <input type="text" name="q" id="q" value="" placeholder="Search analysis, research, academics…">
      </div>
      <button type="submit" class="button" value="Search"></button>
    </div>
  </fieldset>
</form>

Text Content

Continue without agreeing →


The Conversation uses cookies to get to know you better, to analyze our audience
and to improve your experience on the site. The data is never used, transmitted,
shared or sold to advertisers. Our privacy policy is strict, and accessible
here. You can withdraw your consent at any time. View our partners

Learn moreAgree & close

Menu Close
 * Home


EDITION

Africa Australia Canada Canada (français) España Europe France Global Indonesia
New Zealand United Kingdom United States
 * 
 * Edition:

Available editions
Europe
 * Africa
 * Australia
 * Canada
 * Canada (français)
 * España
 * France
 * Global
 * Indonesia
 * New Zealand
 * United Kingdom
 * United States

 * Get newsletter

 * Become an author
 * Sign up as a reader
 * Sign in


Search

Academic rigour, journalistic flair

A vulnerability in Log4j, a humble but widespread piece of software, has put
millions of computers at risk. SOPA Images/LightRocket via Getty Images


WHAT IS LOG4J? A CYBERSECURITY EXPERT EXPLAINS THE LATEST INTERNET
VULNERABILITY, HOW BAD IT IS AND WHAT’S AT STAKE

Published: December 22, 2021 2.12pm CET
Santiago Torres-Arias, Purdue University


AUTHOR

 1. Santiago Torres-Arias
    
    Assistant Professor of Electrical and Computer Engineering, Purdue
    University


DISCLOSURE STATEMENT

Santiago Torres-Arias does not work for, consult, own shares in or receive
funding from any company or organisation that would benefit from this article,
and has disclosed no relevant affiliations beyond their academic appointment.


PARTNERS



Purdue University provides funding as a member of The Conversation US.

View all partners

WE BELIEVE IN THE FREE FLOW OF INFORMATION

REPUBLISH OUR ARTICLES FOR FREE, ONLINE OR IN PRINT, UNDER CREATIVE COMMONS
LICENCE.

Republish this article
Email
Twitter18
Facebook162
LinkedIn
WhatsApp
Messenger
Print

Log4Shell, an internet vulnerability that affects millions of computers,
involves an obscure but nearly ubiquitous piece of software, Log4j. The software
is used to record all manner of activities that go on under the hood in a wide
range of computer systems.

Jen Easterly, director of the U.S. Cybersecurity & Infrastructure Security
Agency, called Log4Shell the most serious vulnerability she’s seen in her
career. There have already been hundreds of thousands, perhaps millions, of
attempts to exploit the vulnerability.

So what is this humble piece of internet infrastructure, how can hackers exploit
it and what kind of mayhem could ensue?



Cybersecurity & Infrastructure Security Agency director Jen Easterly called
Log4Shell ‘the most serious vulnerability I’ve seen.’ Kevin Dietsch/Getty Images
News


WHAT DOES LOG4J DO?

Log4j records events – errors and routine system operations – and communicates
diagnostic messages about them to system administrators and users. It’s
open-source software provided by the Apache Software Foundation.

A common example of Log4j at work is when you type in or click on a bad web link
and get a 404 error message. The web server running the domain of the web link
you tried to get to tells you that there’s no such webpage. It also records that
event in a log for the server’s system administrators using Log4j.

Similar diagnostic messages are used throughout software applications. For
example, in the online game Minecraft, Log4j is used by the server to log
activity like total memory used and user commands typed into the console.


HOW DOES LOG4SHELL WORK?

Log4Shell works by abusing a feature in Log4j that allows users to specify
custom code for formatting a log message. This feature allows Log4j to, for
example, log not only the username associated with each attempt to log in to the
server but also the person’s real name, if a separate server holds a directory
linking user names and real names. To do so, the Log4j server has to communicate
with the server holding the real names.

Unfortunately, this kind of code can be used for more than just formatting log
messages. Log4j allows third-party servers to submit software code that can
perform all kinds of actions on the targeted computer. This opens the door for
nefarious activities such as stealing sensitive information, taking control of
the targeted system and slipping malicious content to other users communicating
with the affected server.

It is relatively simple to exploit Log4Shell. I was able to reproduce the
problem in my copy of Ghidra, a reverse-engineering framework for security
researchers, in just a couple of minutes. There is a very low bar for using this
exploit, which means a wider range of people with malicious intent can use it.


LOG4J IS EVERYWHERE

One of the major concerns about Log4Shell is Log4j’s position in the software
ecosystem. Logging is a fundamental feature of most software, which makes Log4j
very widespread. In addition to popular games like Minecraft, it’s used in cloud
services like Apple iCloud and Amazon Web Services, as well as a wide range of
programs from software development tools to security tools.


Open-source software like Log4j is used in so many products and tools that some
organizations don’t even know which pieces of code are on their computers.

This means hackers have a large menu of targets to choose from: home users,
service providers, source code developers and even security researchers. So
while big companies like Amazon can quickly patch their web services to prevent
hackers from exploiting them, there are many more organizations that will take
longer to patch their systems, and some that might not even know they need to.


THE DAMAGE THAT CAN BE DONE

Hackers are scanning through the internet to find vulnerable servers and setting
up machines that can deliver malicious payloads. To carry out an attack, they
query services (for example, web servers) and try to trigger a log message (for
example, a 404 error). The query includes maliciously crafted text, which Log4j
processes as instructions.

These instructions can create a reverse shell, which allows the attacking server
to remotely control the targeted server, or they can make the target server part
of a botnet. Botnets use multiple hijacked computers to carry out coordinated
actions on behalf of the hackers.

A large number of hackers are already trying to abuse Log4Shell. These range
from ransomware gangs locking down minecraft servers to hacker groups trying to
mine bitcoin and hackers associated with China and North Korea trying to gain
access to sensitive information from their geopolitical rivals. The Belgian
ministry of defense reported that its computers were being attacked using
Log4Shell.

Although the vulnerability first came to widespread attention on Dec. 10, 2021,
people are still identifying new ways to cause harm through this mechanism.


STOPPING THE BLEEDING

It is hard to know whether Log4j is being used in any given software system
because it is often bundled as part of other software. This requires system
administrators to inventory their software to identify its presence. If some
people don’t even know they have a problem, it’s that much harder to eradicate
the vulnerability.

Another consequence of Log4j’s diverse uses is there is no one-size-fits-all
solution to patching it. Depending on how Log4j was incorporated in a given
system, the fix will require different approaches. It could require a wholesale
system update, as done for some Cisco routers, or updating to a new version of
software, as done in Minecraft, or removing the vulnerable code manually for
those who can’t update the software.

Log4Shell is part of the software supply chain. Like physical objects people
purchase, software travels through different organizations and software packages
before it ends up in a final product. When something goes wrong, rather than
going through a recall process, software is generally “patched,” meaning fixed
in place.

However, given that Log4j is present in various ways in software products,
propagating a fix requires coordination from Log4j developers, developers of
software that use Log4j, software distributors, system operators and users.
Usually, this introduces a delay between the fix being available in Log4j code
and people’s computers actually closing the door on the vulnerability.

[Over 140,000 readers rely on The Conversation’s newsletters to understand the
world. Sign up today.]

Some estimates for time-to-repair in software generally range from weeks to
months. However, if past behavior is indicative of future performance, it is
likely the Log4j vulnerability will crop up for years to come.

As a user, you are probably wondering what can you do about all this.
Unfortunately, it is hard to know whether a software product you are using
includes Log4j and whether it is using vulnerable versions of the software.
However, you can help by heeding the common refrain from computer security
experts: Make sure all of your software is up to date.

 * Internet
 * Computer security
 * China
 * Cybersecurity
 * Hackers
 * Ransomware
 * Botnet
 * Minecraft
 * software supply chain






EVENTS

More events


JOBS

 * POLICY AND RESEARCH PROJECT MANAGER

 * ASSOCIATE PROFESSOR IN PARAMEDICINE

 * RESEARCH FELLOW - POLYMER COATINGS

 * SENIOR LECTURER/ ASSOCIATE PROFESSOR, ECONOMICS

 * RESEARCH STRATEGY AND IMPACT OFFICER

More jobs
 * Editorial Policies
 * Community standards
 * Republishing guidelines
 * Analytics
 * Our feeds
 * Get newsletter

 * Who we are
 * Our charter
 * Partners and funders
 * Resource for media
 * Contact us
 * Consent preferences


Privacy policy Terms and conditions Corrections

Copyright © 2010–2023, The Conversation Media Group Ltd