A critical flaw in widely used software, Log4Shell, has cybersecurity experts raising alarms and big companies racing to fix the issue. 

The vulnerability, which was reported in late December, is in Java-based software known as "Log4j" that large organizations use to configure their applications. This vulnerability brings huge risks for much of the internet because Log4j is used in many forms of open-source software's such as cloud platforms, web apps and email services. 

What is Log4j and why does it matter?

Log4j records events, errors, and routine system operations and is one of the most popular logging libraries used online, essentially Log4j gives developers a way to build a record of activity to be used for a variety of purposes, such as troubleshooting, auditing and data tracking. Because it is both open-source and free, the library essentially touches every part of the internet. 

Companies such as Apple, IBM, Oracle, Cisco, Google and Amazon, all run the software. 

An example of Log4j that most people have encountered is when you type or click on a 'bad' link and get a 404 error. Log4j records that event in a log for the server that is running that domain on the web. 

The Log4j allows its users to specify custom code for formatting a log message, which can include, log in information, usernames, personal information, etc. What Log4Shell does is exploits that feature and opens the door for bad actors to steal potentially sensitive information and even send malicious content to users. 

And because the use of Log4j is so widespread it means the hackers have ample targets to choose from, both big and small. 

For context on how serious this vulnerability poses, Jen Easterly who is the director of the U.S. Cybersecurity & Infrastructure Security Agency called "Log4Shell the most serious vulnerability that she has seen in her career. And according to cybersecurity researchers at Check Point there are over 100 attempts to exploit the vulnerability every minute. 

What can you do to protect yourself? 

Unfortunately, currently not much can be done because as a user it is hard to know whether a product you are using includes Log4j or not. However, security experts are saying keeping up to date with your software updates is a small layer of protection users can have. 

Sources:

https://www.cnbc.com/video/2021/12/16/cisa-director-says-the-log4j-security-flaw-is-the-most-serious-shes-seen-in-her-career.html 

https://www.zdnet.com/article/log4j-flaw-attackers-are-making-thousands-of-attempts-to-exploit-this-severe-vulnerability/

About the Author: Taylor Genter

Taylor is a Marketing Manager at Extract with experience in data analytics, graphic design, and both digital and social media marketing. She earned her Bachelor of Business Administration degree in Marketing at the University of Wisconsin- Whitewater. Taylor enjoys analyzing people’s behaviors and attitudes to find out what motivates them, and then curating better ways to communicate with them.