Log4j Exploit, Explained: What It Is and Why Techies Are on Edge

By the end of the third quarter of 2021, the number of data breaches YTD surpassed the total number of hacks in 2020 by 17 percent. These cybersecurity hacks aren't a coincidence. The Log4j logging library has known vulnerabilities, which makes it easier for hackers to do their thing.

The latest Log4j exploit is one worth paying attention to. Here are the details on Log4j and what the exploit means for internet users the world over.

Log4j is a part of Apache Logging Services (led by the Apache Software Foundation). Log4j is a logging library based in Javascript and it's one of a few Java-based logging frameworks.

Millions of platforms, including Minecraft and Apple iCloud, use Log4j. The Apache Log4j team has already created a successor, called Log4j 2. However, given the recently highlighted vulnerabilities, a new iteration is necessary.

The Log4j security risk has been named Log4Shell (or, alternatively, LogJam or CVE-2021-44228). It's a zero-day vulnerability, which means that hackers are actively trying to exploit it. Basically, hackers can access a platform's full library of activity. That includes Microsoft, Google, Amazon, and all the other Log4j 2.0+ users out there, which puts platform and user data at major risk.

Chen Zhaojun of the Alibaba Cloud Security Team first discovered the vulnerability, which has been shown to pose critical risk for any system using Log4j (including versions 2.0-beta-9 and 2.14.1).

The Apache team uses a CVSS (Common Vulnerability Scoring System) and has labeled the Log4j exploit risk as a 10, which is the highest (or most "critical") vulnerability.

Because so many platforms and organizations use Log4j as the base of their user experience, the vulnerabilities for data are sweeping. Tech enthusiasts say that millions of applications are potentially at risk, along with the data of every individual within each of those applications.

Apache has announced its releasing Log4j version 2.15.0 in response to the remote code execution vulnerability. According to the CISA (Cybersecurity & Infrastructure Security Agency), users and administrators should review and upgrade to the latest iteration "or apply the recommended mitigations immediately."

Log4j 2.15.0 fixes critical security issues because the predecessor's JNDI (Java Naming and Directory Interface) features don't protect against hackers' LDAP (Lightweight Directory Access Protocol) and other JNDI-related endpoints, according to Apache.

Apache said, "An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From Log4j 2.15.0, this behavior has been disabled by default."

Mitigation options include setting the system property or environment variable, among others. Users can refer to the Apache Log4j security vulnerabilities explanation for more information on mitigation tactics without upgrading to Log4j 2.15.0.

Ultimately, the impact of Log4j exploits will depend on how quickly platforms can update to the new Log4j version or use the mitigation tactics that Apache specified.