Log4Shell: Understand the set of vulnerabilities that has shaken the world

"Apocalypse". This was the powerful term used by many cybersecurity experts to describe the discovery of Log4Shell, a set of vulnerabilities that has been keeping industry professionals awake at night since December 2021. The use of the term may seem exaggerated, but once you understand the severity of the problem, you will agree. We are talking about bugs that can affect a large part of the Internet and cause gigantic damage to corporate computers, servers, and applications.

The name Log4Shell was, in fact, initially used to describe a single security breach found by Chinese researchers at Alibaba which was disclosed to the world on December 9. This vulnerability resided in Log4j, a very famous open-source library maintained by the Apache Foundation which is used to register activity logs in Java applications. However, after the discovery of the original bug (CVE-2021-44228), several other similar ones were then detected.

Explained in the least technical way possible, Log4Shell vulnerabilities allow an attacker to execute arbitrary code in a vulnerable application, as the affected editions of Log4j respond to requests without first making certain necessary verifications. This is a remote code execution (RCE) failure. With this, criminals can steal sensitive data and even deploy malware on the attacked machine. In fact, most criminals have been taking advantage of the situation to install cryptocurrency miners, assemble botnets, and spread ransomware.

There's nowhere to run

You're probably thinking, "Okay, but who uses this Log4j?". That's where the biggest problem lies: practically everyone, even if they don't know it! Log4j has been around for years and is the world's most used library to register and store logs in Java-based software. The library is so popular that it is included in other libraries that many programmers employ in their projects without even knowing that, deep down, there is the Log4j in there doing its job. This is the reason for so much despair.

Log4Shell was initially identified in the game “Minecraft: Java Edition” and the list of affected services and applications soon became gigantic. The United States government was so concerned about the situation that they created a complete list in GitHub of who has or has not been affected by the security breaches.

Incidentally, speaking of government responses, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) determined that all suppliers hired by the government should correct the failures by December 24, 2021, a request that was promptly complied with. “It's one of the most serious I've ever seen in my entire career, if not the most serious,” said Jen Easterly, current director of CISA. In Quebec, Canada, the government shut down nearly 4,000 of its websites as a "preventive measure".

How can you protect yourself?

Although it can cause harm to end users, Log4Shell is a vulnerability that depends more on the developers of an application than on internet users themselves. After all, they are the ones who must update the library to the latest, bug-free version. Of course, once this is done, the consumer should also download the appropriate updates that are provided.