Log4j vulnerability is affecting a wide range of products including Apple’s iCloud, Twitter, Microsoft’s Minecraft, and several more. Here’s all you need to know about the cybersecurity nightmare.
What is Log4j vulnerability?
First reported on Friday, the Log4j vulnerability is allowing hackers uncontrolled access to computer systems. Also known as Log4Shell, it was first spotted by researchers at LunaSec in Microsoft’s Minecraft. Officially known as CVE-2021-44228, “many, many services” are vulnerable to exploitation due to its ‘ubiquitous’ presence.
This is because it is an open-source Java library and most of the enterprise apps and servers use them. And, the Log4j library helps in keeping a record of all activity in an app. The US government’s cybersecurity agency also gave a warning for the same.
What can the vulnerability do?
Log4j vulnerability can allow hackers to execute ‘arbitrary code’ and get into a computer system. It will also allow the hackers to gain complete control of a server when manipulated properly. “An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled,” states the technical explanation. It is bothering since attackers used it to gain access to computers. As per reports, the problem is resolved for users with Log4j 2.15.0 and above. This is because Log4j 2.15.0 and above has ‘behavior’ disabled by default.
Who does this issue impact?
According to LunaSec, the cybersecurity firm, several services are helpless with such exploits. It includes Apple’s iCloud, Microsoft’s Minecraft, Twitter, Steam, Tencent, Google, Amazon, CLoudFare, NetEase, Webex, LinkedIn, etc. “Minecraft has already stated how users can update the game to avoid the issue. Other open-source projects such as Paper are also issuing patches to fix the problem,” stated LunaSec. Minecraft stated that the vulnerability impacted Minecraft java Edition and explained how to update the game and avoid the issue.
However, users will have to take a few extra steps to make their game and servers more secure. Once they close all running instances of Minecraft, they need to relaunch and “patched version will download automatically”. “If the third-party provider has not patched the vulnerability, or has not stated it is safe to play, you should assume the vulnerability is not fixed and you are at risk by playing,” they added.