Late last week, the engineering team at Alibaba announced that they’d found a major vulnerability in a widely used software library. The library is called log4j, the vulnerability is named log4shell, and it has the potential to be very bad. With a lot of luck, you won’t see it all over the news, but in the event that you do, here’s a quick primer. Wired has a good longer piece, from which I stole this post title.
Do I have to worry about log4j?
Not in so many words. Unless you’re a systems administrator, you probably aren’t running a (particularly) vulnerable machine, so there’s nothing you can do anyway. See a movie; hug your children.
How does it work?
log4j is logging software, that is, it writes down information about a running program so that developers can see how it’s working (or not working). Sometimes, when it sees a certain string, it says, “oh okay, let’s download a file from this arbitrary location and execute it.” An attacker, with fairly basic knowledge of what kind of computer they’re attacking, can use this to take control of the whole system*, just by saying hello over the internet. And log4j is used in many, many systems, systems where the admins might not even know about it, because it’s buried under a bunch of other software libraries. The little guy on the bottom right of the cartoon? Sometimes that’s log4j**.
It is! It’s worse than 2014’s Heartbleed, which resulted in the theft of, conservatively, tens of millions of identities. At the time, Heartbleed was widely considered to be the worst vulnerability ever found in the modern Internet. This distinction now belongs to log4shell. And just like with Heartbleed, there is probably nothing you, personally, can do about it.
Above, I said that the attacker needs to have ‘fairly basic’ knowledge of the computer they’re attacking. This is because computers can’t execute any old arbitrary code–it has to be a Java binary written for the correct version of the Java Runtime Environment. This means that viral spread will be limited, at least until somebody figures out a way around this, which may happen in a matter of days. And if that happens… lots of very important computers will find themselves under the control of hackers.
*Or whatever sandbox Java may be limited to, if you’re lucky.
**log4j is maintained by the large Apache Software Foundation, but you get the idea.