You may have seen people talk this week about Log4Shell and the damage that it’s causing. The zero-day exploit has people worried, with some saying that it’s “set the Internet on fire” or that it “will haunt [us] for years”?
But just how concerned should you be and is there anything you can do to protect yourself?
What is Log4Shell?
Log4Shell is a remote code execution exploit that’s found in versions of log4j, the popular open-source Java logging library.
The critical vulnerability was made public last week, almost a month after security researchers at Alibaba disclosed it to the Apache Software foundation.
Security teams around the world have been scrambling to fix the issue, which affects a huge number of software products, online systems and Internet-connected devices.
Apple, Amazon, Baidu, Google, IBM, Tesla, Twitter and Steam are among those affected.
The vulnerability is tracked as CVE-2021-44228 and has been given the maximum 10.0 severity rating. That means attackers can take full control of a vulnerable system over the Internet without any interaction from the victim.
What’s more, it doesn’t take much skill to execute. This, combined with the ubiquity of the vulnerability, means that exploits are being seen all over the Internet, with criminal hackers planting malware, installing ransomware, cryptomining code and stealing personal data.
More than 250 vendors have already issued security advisories and bulletins on how Log4Shell affects their products. Meanwhile, users are being urged to check for security updates regularly and ensure that they are applied as soon as possible.
How can you protect yourself?
Log4Shell is an anomaly in the cyber security field. Vulnerabilities are typically only made public when the organisation responsible has released a patch, but this is not the case with Log4Shell.
Not only is it a zero-day exploit (so named because you have zero days to fix it), but it is so widespread that some experts suggest that organisations should assume that they’ve already been compromised.
The Apache Software Foundation, which maintains the log4j software, has released an emergency security patch and released mitigation steps for those unable to update their systems immediately.
Meanwhile, Huntress Labs has created a free Log4Shell scanner that organisations can use to assess their own systems, and Cybereason has released a Log4Shell “vaccine” that’s available for free on GitHub.