Hey there everyone, your friendly neighborhood tech pede here. Not sure how much attention people here pay to tech news but over the past two days there has been a bit of info that's been trickling into even some mainstream news sites about a recently discovered vulnerability called Log4Shell. These sites have been saying how this vulnerability has the potential to be pretty bad. As a guy that's worked in tech for pretty much all my life, let me rephrase that for them. This vulnerability has the potential to be catastrophic.
I work in the civ, non-gov't sector and I have more NDAs signed than I can count so I can't go into specifics of clients or ongoing cases that we're involved in. But we see cases come in where massive companies get their data stolen and ransomed for millions and no one at my work really thinks twice about it because we work with this stuff every day. But this one has us all worried.
What is this vulnerability?
There's a couple jargon filled writeups here:
But long story short, in order for a website or service to be accessible via the Internet, it needs a web server in place. The most widely used one of these is a web server called Apache that's been around for about 25 years. Every web server (and really any application on a computer) keeps a log of everything that it does in order to track errors, see unauthorized access, that kind of thing. This exploit specifically targets this built-in logging feature in Apache in order to gain full access to the web server and drop pretty much anything it wants on it.
So how bad is it?
Bad. Really, really bad. Bad enough that as soon as it was released, it immediately hit the ceiling as a 10.0 out of 10.0 on the CVE index and that was only because the index didn't go higher. For reference, the HAFNIUM exploits from this past February/March that caused hundreds of thousands of mail servers across the globe to have their data stolen and their systems crashed didn't even reach that mark, with most of the affected CVEs for that exploit coming in at 7.8.
Unlike the HAFNIUM exploit, this vulnerability appears to have the potential to be a C2C (computer to computer) worm, which means that once it's infected a web server it can spread uncontrolled to basically any device connected to that web server.
So it only affects these web servers, right?
Not necessarily. Evidence is still coming out but it appears as though this may be able to spread to any device that communicates with an Apache-based web server. The biggest example right now is Minecraft, which released a zero-day patch just yesterday to help protect against this. Basically if you don't have that patch then if you connect to a multiplayer server then you're vulnerable.
But it's not just services like Minecraft. A lot of applications also have what's referred to as integrated web servers, which is where the Apache web server does not exist independently of the application. If it were to be independent, then you could just patch the web server and call it a day. But if it's integrated you need to re-code portions of the ENTIRE application in order to get it updated to protect against this. There's not enough manpower in the world to do this.
Look at the numbers of just websites running Apache alone. There are over 1.7 billion websites in the world and about 32% are known to run Apache. The actual number is most certainly higher. Even in a best-case scenario, we're looking at over 500 million websites that are affected by this.
But again, it's not just websites, it's services as well...especially services that run on Java. You know that fancy satellite radio in your car? That runs on Java and reports to a web server. You know that new TV you got on Black Friday? Yep, that runs Java and reports to a web server. That fancy new smart plug that lets you turn lights on and off from your phone? Take a guess.
Seeing why we're worried?
Well, crap.
Don't worry, it gets worse! So far there have been a list of about 150 international backbone companies that have been seen to be affected by this. These companies range from everything from home devices to antivirus and backup software. Some companies such as Kronos (UKG) have already had their services nuked...whether it's by this vulnerability or not isn't known yet. But Kronos is saying that it will be "several weeks" before things are back functioning again.
https://www.theregister.com/2021/12/13/ultimate_kronos_group_ransomware_attack/
So once this hits a server, it hits FAST and it hits HARD and it goes DOWN.
So these attacks are already happening?
They haven't even really started, that's the fun part. There has been some evidence that these have been circulating to some extent in the wild but there hasn't been a mass-scale attack like we've usually seen. Current insiders are estimating that a worm that can fully take advantage of this C2C spread will be completed and deployed within 24-48 hours:
https://nitter.net/Laughing_Mantis/status/1470165580736987137
So what should I do?
If you're in tech, get your Apache web servers updated immediately. Get off this site and just do it. If you have kids that are running a Minecraft server (hell, just even playing Minecraft on PC in general) then make sure it's updated. Microsoft has more info here:
https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
If you're just a regular tech user then make sure you have a few good, long books just in case things go FUBAR. And strap the fuck in.
Saved offline stuff would be good. The only exceptions may be single player games that connect to web services in order to prove they're legit copies. Think stuff like Cyberpunk or whatever. There's a couple hints that Steam may be affected but again, info is still being discovered.
The main concern is that if there's a way for this to spread to your PC through a Java program that connects to an affected server (like they're trying to prevent with Minecraft), then your PC could get encrypted with ransomware or be used to propagate the worm to other computers.
In this case, I think I can say I'm ready. Stay safe.
Tbh, don't worry about it. Minecraft's being used as an example because it's built on old Java code.
I'm long out of "the field" but this, as usual, is a server side problem more than a personal computing one. Java and JavaScript are two entirely different things. The fact you asked the question leads me to believe you're probably not running anything relevant on your PC. 👍
To the neck beards: I know I'm over simplifyong and misrepresenting the essential underlying truth with the above. A "heads up, Shit Could Hit the Fan globally" is fine, but we don't need to be scaring old ladies.
(Not calling anyone an old lady!)
this comment cracked me up so hard. dies People around me in the coffeeshop now think I may epileptic.
Ahaha I'm only 33 but feel like an old lady when I read this post. 😅 I told my husband he would have to summarize. He told me my phone would be fine 🤣🤣
I’m an old lady and Dang proud of my 60 yrs! I’ve been through personal world wars to say the least my real age by life maybe 259😍
Hahaha. Uproots for all the neck beards.
Consoles affected? Ps4- Xbox kinda deals.