A vulnerability in A widely used logging library has evolved into a full blown security breakdown affecting digital systems across the Internet. Hackers are already trying to take advantage of it, but even as fixes show up, researchers warn that the bug could have dire repercussions around the world.
The problem lies with Log4j, a ubiquitous open source Apache logging framework that developers use to record activity within an application. Security responders strive to fix the bug, which can easily be exploited to take control of vulnerable systems remotely. At the same time, hackers are actively scanning the Internet for affected systems. Some have already developed tools that automatically attempt to exploit the bug, as well as worms that, under the right conditions, can spread from one vulnerable system to another.
Log4j is a Java library, and although the programming language is less popular with consumers these days, it is still widely used in enterprise systems and web applications. Researchers told WIRED on Friday that they expect many mainstream services to be affected.
For example owned by Microsoft Minecraft released detailed instructions on Friday on how players using the Java version of the game should patch their systems. “This exploit affects many services – including Minecraft Java Edition,” the post said. “This vulnerability creates a potential risk that your computer could be compromised.” Cloudflare CEO Matthew Prince tweeted Friday that the problem was “so bad” that the Internet infrastructure company would try to provide at least some protection even for customers on its free service tier.
All an attacker had to do in order to exploit the bug is strategically send a string of malicious code that will eventually be logged by Log4j version 2.0 or later. The exploit enables an attacker to load arbitrary Java code onto a server and thus to take control.
“It’s a catastrophic design flaw,” said Free Wortley, CEO of the open source data security platform LunaSec. The company’s researchers released a warning and an initial assessment of the Log4j vulnerability on Thursday.
Minecraft Screenshots circulating in forums seem to show that gamers are exploiting the vulnerability Minecraft Chat function. On Friday, some Twitter users started changing their display names to strings of code that could trigger the exploit. Another user changed its iPhone name to do the same and forward the result to Apple. Researchers told WIRED that the approach could potentially work over email as well.
The US agency for cybersecurity and infrastructure security issued a warning about the vulnerability on Friday, as did the Australian CERT. The New Zealand cybersecurity organization’s alert determined that the vulnerability is being actively exploited.
“It’s pretty bad,” says Wortley. “So many people are vulnerable and it’s so easy to take advantage of. There are some mitigating factors, but in the real world there will be a lot of companies that are not on the latest releases and are trying to fix this. “
Apache has classified the vulnerability as “critical” and released patches and weaknesses on Friday. The organization says that Chen Zhaojun from the Alibaba Cloud Security Team first uncovered the vulnerability.