Hey there everyone, your friendly neighborhood tech pede here. Not sure how much attention people here pay to tech news but over the past two days there has been a bit of info that's been trickling into even some mainstream news sites about a recently discovered vulnerability called Log4Shell. These sites have been saying how this vulnerability has the potential to be pretty bad. As a guy that's worked in tech for pretty much all my life, let me rephrase that for them. This vulnerability has the potential to be catastrophic.
I work in the civ, non-gov't sector and I have more NDAs signed than I can count so I can't go into specifics of clients or ongoing cases that we're involved in. But we see cases come in where massive companies get their data stolen and ransomed for millions and no one at my work really thinks twice about it because we work with this stuff every day. But this one has us all worried.
What is this vulnerability?
There's a couple jargon filled writeups here:
But long story short, in order for a website or service to be accessible via the Internet, it needs a web server in place. The most widely used one of these is a web server called Apache that's been around for about 25 years. Every web server (and really any application on a computer) keeps a log of everything that it does in order to track errors, see unauthorized access, that kind of thing. This exploit specifically targets this built-in logging feature in Apache in order to gain full access to the web server and drop pretty much anything it wants on it.
So how bad is it?
Bad. Really, really bad. Bad enough that as soon as it was released, it immediately hit the ceiling as a 10.0 out of 10.0 on the CVE index and that was only because the index didn't go higher. For reference, the HAFNIUM exploits from this past February/March that caused hundreds of thousands of mail servers across the globe to have their data stolen and their systems crashed didn't even reach that mark, with most of the affected CVEs for that exploit coming in at 7.8.
Unlike the HAFNIUM exploit, this vulnerability appears to have the potential to be a C2C (computer to computer) worm, which means that once it's infected a web server it can spread uncontrolled to basically any device connected to that web server.
So it only affects these web servers, right?
Not necessarily. Evidence is still coming out but it appears as though this may be able to spread to any device that communicates with an Apache-based web server. The biggest example right now is Minecraft, which released a zero-day patch just yesterday to help protect against this. Basically if you don't have that patch then if you connect to a multiplayer server then you're vulnerable.
But it's not just services like Minecraft. A lot of applications also have what's referred to as integrated web servers, which is where the Apache web server does not exist independently of the application. If it were to be independent, then you could just patch the web server and call it a day. But if it's integrated you need to re-code portions of the ENTIRE application in order to get it updated to protect against this. There's not enough manpower in the world to do this.
Look at the numbers of just websites running Apache alone. There are over 1.7 billion websites in the world and about 32% are known to run Apache. The actual number is most certainly higher. Even in a best-case scenario, we're looking at over 500 million websites that are affected by this.
But again, it's not just websites, it's services as well...especially services that run on Java. You know that fancy satellite radio in your car? That runs on Java and reports to a web server. You know that new TV you got on Black Friday? Yep, that runs Java and reports to a web server. That fancy new smart plug that lets you turn lights on and off from your phone? Take a guess.
Seeing why we're worried?
Well, crap.
Don't worry, it gets worse! So far there have been a list of about 150 international backbone companies that have been seen to be affected by this. These companies range from everything from home devices to antivirus and backup software. Some companies such as Kronos (UKG) have already had their services nuked...whether it's by this vulnerability or not isn't known yet. But Kronos is saying that it will be "several weeks" before things are back functioning again.
https://www.theregister.com/2021/12/13/ultimate_kronos_group_ransomware_attack/
So once this hits a server, it hits FAST and it hits HARD and it goes DOWN.
So these attacks are already happening?
They haven't even really started, that's the fun part. There has been some evidence that these have been circulating to some extent in the wild but there hasn't been a mass-scale attack like we've usually seen. Current insiders are estimating that a worm that can fully take advantage of this C2C spread will be completed and deployed within 24-48 hours:
https://nitter.net/Laughing_Mantis/status/1470165580736987137
So what should I do?
If you're in tech, get your Apache web servers updated immediately. Get off this site and just do it. If you have kids that are running a Minecraft server (hell, just even playing Minecraft on PC in general) then make sure it's updated. Microsoft has more info here:
https://www.minecraft.net/en-us/article/important-message--security-vulnerability-java-edition
If you're just a regular tech user then make sure you have a few good, long books just in case things go FUBAR. And strap the fuck in.
The vulnerability is in log4j, not the apache web server. This is a completely separate project also developed by the Apache foundation. It is a Java logging library, and is not used in the apache web server, which is written in C.
It's still a big deal and log4j is very widely used, but to say the web server itself is vulnerable is not true.
This is correct. Log4j is a library used in Java-based platforms that run on Apache. Not all Java platforms use this library, although it is very popular.
It doesn't need to run on apache (which would be something like Apache Tomcat rather than the web server). It's a standalone library, a service could be vulnerable regardless of its hosting platform.
The information I am getting from Infor, which is the product that I consult on, seems to be deleting the log4j*.jar files.
Infor indicates that version 1 files are not affected by this issue. Although there is a vulnerability in version 1 files:
"Affected Versions of Log4J - Any Log4J version prior to v2.15.0 is affected by this specific issue. The version 1 branch of Log4J is vulnerable to other RCE attacks and should be updated."
The part in bold ONLY applies to log4j V2. We run log4j V1. V1 IS NOT AFFECTED BY THIS SPECIFIC ISSUE.
A known vulnerability in v1 - https://logging.apache.org/log4j/1.2/ only applies to the log4j socket server, which we do not use.