Why does the Log4Shell vulnerability have tech firms worried?

News: A new vulnerability named Log4Shell is being touted as one of the worst cybersecurity flaws to have been discovered.

What is the Log4Shell vulnerability?

The Log4Shell vulnerability is a flaw in one of the most widely used server software. It is a remote code execution (RCE) vulnerability, which means attackers can use it to remotely execute arbitrary code on a server and steal data.

It is a vulnerability in a logging library that is used by almost every big company in the world, including Apple Inc., Microsoft Corp., Amazon.com Inc., Google LLC, and more.

Logging libraries allow developers to monitor their applications and catch bugs. The vulnerability has been given a 10/10, the highest severity rating for such vulnerabilities. However, Log4Shell doesn’t affect users directly.

Why it is a serious issue?

Firstly, its exploitation could allow hackers to control Java-based web servers and launch what are called ‘remote code execution’ (RCE) attacks.

Secondly, since this library is present everywhere across applications, the vulnerability could allow the attacker full control of the affected server.

Thirdly, successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS).

Is the vulnerability being exploited by hackers?

Security firm Checkpoint Research said it had documented 846,000 attacks on corporations in the first 72 hours of the “outbreak”.

And 41% of corporate networks in India had faced an attempted exploit.

Companies like Google, Microsoft, and Cisco Systems Inc. say their programs and applications have been affected.

In the future, serious threat actors will try to exploit this vulnerability to attack a whole range of high value targets such as banks, state security and critical infrastructure.

How does one protect against Log4Shell?

For Minecraft players: They have to ensure that they are on the newest client of the game that consists of a fix for the issue.

For corporations: A patch was issued for the vulnerability on 13th December, and technology teams will have to ensure that this is incorporated in their systems.

Source: This post is based on the article “Why does the Log4j vulnerability have tech firms worried?”  & “Why Log4Shell is the worst security issue in a decade” published in the Indian Express and Livemint on 16th Dec 2021.

Print Friendly and PDF