Although I am not an expert on this topic, I have been reading and taking notes on the subject in recent weeks.
What Is Log4j?
Log4j is one of the most common logging libraries used online. This is because Log4j gives software developers a way to build a record of activity to be used for a variety of purposes, such as troubleshooting, auditing and data tracking. The framework itself is also totally free, so it’s essentially everywhere.
The details of the Log4j flaw are complex, but the short version is this: Log4j is a Java logging utility that runs on billions of devices, including smart TVs and Cisco routers.
What Makes It Bad?
While it can be manually updated by users, Log4J is present in so many devices that manual updates would be a logistical nightmare, if not impossible, especially in IoT devices that contain it.
More than 80% of Java packages affected by the vulnerability in the Apache Log4j library cannot be updated directly because of dependencies and will require coordination between different project teams to address the flaw, according to a recent survey by Google
Log4j is also set to automatically update itself according to a default setting that log developers thought would be harmless but turned out not to be.
CloudFlare has analyzed the Log4j vulnerability and found that attackers have had more than a week to exploit companies’ systems, long before the vulnerability was made public.
Experts are particularly concerned about this vulnerability because it allows hackers to obtain easy access to a system’s server, giving them entry into other parts of a network. It is also very difficult for IT to see if their computers have already been compromised.
Going Forward
Patches have already been released, but applying them is a different story.
Large organizations will patch their internet facing systems, but will still be vulnerable to unpatched individual systems within their organization. It will likely take years to fully fix these systems, and in the meantime they’ll be at risk of cyber attacks.
Small organizations that do not have the budget, time, or training to devote to cybersecurity issues will be impacted the most.
.It may take years to fully repair these systems and correct their vulnerabilities, and in the meantime, their compromised state will be used for cyber attacks.
No comments! Be the first commenter?