Unless you are in the IT industry, the news of a worldwide massive security vulnerability that has just been discovered may have passed you by last weekend.
The problem is that this particular vulnerability has immense potential ramifications and has had IT teams around the globe racing against hackers to try to patch the problem.
What is the problem?
The software that runs our business applications, servers and other apps uses code. In many cases, this code draws on what is known as open-source code that developers have made available for free for other developers to use.
Rather than reinvent the wheel, developers copy and tweak this open-source code into their own programs.
When this code is particularly useful, you may see it appear in millions of pieces of software, hardware and systems.
It works brilliantly until a vulnerability is discovered in that code that hackers can then use to access the software, hardware, and systems.
What is Log4J?
In this situation, the open-source code is catchily titled “log4J”.
This particular code helps to record what is happening in programs and systems. These logs help keep an eye on if things are running smoothly with a program or what has triggered particular errors in a program or system.
Log4J is one of the most popular pieces of open-source logging code on the market. It is conservatively estimated to be used in 3 billion (yes – billion with a b) systems worldwide.
It is used in many business programs, applications, cloud services, and web servers. It also includes security devices, PCs, Macs, web servers, mobile phones, network devices, cloud hosting providers and tech connected to the Internet of Things such as smart devices.
What is the vulnerability?
A vulnerability was found in the code on 9 December 2021 that allows malicious actors to take complete control of servers and programs running the code without authentication. This means it bypasses multifactor authentication and other systems designed to stop unauthorised access.
The vulnerability allows malicious actors to install malware or ransomware, access all files on the server or install backdoors to your system for later access.
The vulnerability has been named Log4Shell for ease of reference and classified as a high severity 10/10 vulnerability (CVE-2021-44228). It affects version 2 of Log4j between versions 2.0-beta-9 and 2.14.1. It is patched in 2.15.0. The ASCS has listed the alert status as critical.