How a simple logging library created a disaster
Information Technology and Security professionals everywhere had a wild ride this past December when Apache publicly disclosed a vulnerability in the log4j-core library that had been hidden for over 8 years. This vulnerability was officially dubbed “log4shell”, but, as EthernetNoose from Reddit pointed out, LogNightmare is more apropos.
This vulnerability allowed a malicious attacker to execute arbitrary code by passing in a specifically crafted set of characters to an application. Security experts guess this vulnerability impacts over hundreds of millions of computers worldwide and the ease of this exploit was alarming. Log4Shell was given a 10 – the highest available score – in the Common Vulnerability Scoring System and impacted major organizations like Apple, Minecraft, Steam, and Cloudflare.
Properly done security is like getting to the desert in a 7 course meal. It takes time, patience, persistence, and care to ensure that you finally reach the delicious, caramel flan at the end. This vulnerability, however, jumped right to the end by abusing a little watched library that, in theory, should only be responsible to take whatever the calling application tells it and puts it in a little file on a server. For example, attempting to login to the (fictitious) AcmeCo Bank may take the save the username entered for record keeping or security tracking later. It could do this by using the log4j library. If this was the case, an attacker could compromise AcmeCo simply by passing in a specifically crafted string into that username field, triggering the vulnerability, and then installing ransomware on every server it possibly can.
AcmeCo is just an example here, but this, or something similar, actually happened to numerous companies before the issue was patched. While many of the details aren’t fully public yet, the damage is done and many companies spend Christmas in the office this year. More alarming: federal investigations are beginning to determine if this particular vulnerability was actually used in other recent attacks in the previous few months, though much more investigation will need to be done to find this out. For now, the immediate threats appear to be resolved.
If you’re just an everyday user, this past month is another reminder to ensure you always update to the latest versions as often as you can and to always be careful where you go on the internet.
[C. Credence, Server Architect by day and Church Sound Engineer on the weekends, lends a helping hand to many in need of his expertise.]
Life Thoughts Today 