What Was Up with Log4Shell?

Guest blogger, Chris Bonatti, an IECA Consultant Explains What Happened

Forward by CyberWyoming:  Learn how to manage vulnerabilities in Wyoming’s Cybersecurity Competition for Small Businesses.  Join the competition at www.cyberwyoming.org/competition.   (IECA’s membership makes the Competition free to all Wyoming small companies.)  Log4j was such a huge deal because it is embedded in many different internet protocols and programming packages.

Log4Shell has launched many organizations into a panic state, trying to get a lock on all the places where Log4j is used. Log4j is included in almost all the enterprise products released by the Apache Foundation. Other things also use Log4j, such as Redis, Elasticsearch, Elastic Logstash, and even NSA’s Ghidra. Dozens of companies have servers confirmed to be vulnerable to Log4Shell attacks including Amazon, Apple, Google, Intel and Microsoft. Without a doubt there are thousands more. The province of Quebec shut down almost 4,000 government websites as a preventative measure while they comb through them. The problem is deceptive in that it isn’t only first order developments that need to be checked. Second, third, and n-th tier packages may incorporate the vulnerable package. The new version of Log4j needs to be imported and recompiled by every project in which it has been used. A list of affected software is updated daily at ‘https://github.com/NCSC-NL/log4shell/tree/main/software’. Google surveyed Java modules on the Maven Central Index, and estimates that it will be years, at least, before the Log4j mess is finally cleaned up. They explained that out of more than 35,000 vulnerable libraries, only approximately 7,000 packages contain a direct Log4j dependency. Many Java developers will either need to wait for the packages they use (over which they have zero control) to be updated, or switch to alternative solutions that are not vulnerable.


Register to Receive the Tech Joke of the Week!

This Week's Joke:

How many programmers does it take to change a light bulb?

None, it is a hardware problem!

More Posts: