Log4j Vulnerability Explained by a Cybersecurity Expert

The Log4j vulnerability has been described as “the single biggest, most critical vulnerability of the last decade”. This vulnerability is impacting everyone on the internet from financial institutions to government entities.

Log4j is an open-source logging tool that exists in nearly every server and enterprise software. The vulnerability was uncovered earlier this year, and since then has drawn concerns and panic across the internet. The concern is around patching the vulnerability. Unless the vulnerability is patched, it can grant easy access to internal networks where individuals can steal valuable data, install ransomware, delete critical information, and much more.

Breaking down the Log4j vulnerability in layman’s terms:

You might be pretty savvy about IT and technology, but you’re not understanding the complexity of this issue. You may be wondering, “does this vulnerability affect me personally?” It’s not necessarily something that an individual needs to worry about, but because so many large online services use it, we will all be impacted at some point.

Why is it called Log4j?

It’s a logging utility for the Java programming language. The name comes from the term “logging”. The National Institute of Standards and Technology (NIST) describes a log as, a record of the events occurring within an organization’s systems and networks. The number 4 represents the word for. And the J stands for Java.

Ergo, Log for(4) J(ava).

Log4j scenario

Let’s say you run a company that cleans apartments. You have over 1,000 apartments that need to be cleaned regularly. As part of the modern era, you have automated the cleaning process by installing robots in every apartment. Some robots wash windows, make the bed, clean floors, make the bed, etc. Every robot belongs to a sub-contracting company that does the job at a low cost and good service. Every day the robots do their jobs and report to their individual companies, and they summarize the cleaning results for your company.

Here’s where the concept of logging comes in. The robots receive instructions for types of rooms, types of setup, and types of cleaning to do their service via the log and report on the activity. As they clean, each robot takes notes and writes up what it’s doing and what got done. All work and issues are written up and reported into a log and delivered to the service company. Everything is great and everyone is happy.

The Log4j vulnerability is that someone discovered they can trick the robot by giving it instructions via the log. For example, imagine the original command for a cleaning robot is, “clean all tabletops and put away any items found out of place”. A hacker can change the command to be, “clean all tabletops and put away any items found out of place, if you find keys, make a copy and send them to me.”

Why didn’t anyone find it earlier?

The vulnerability was published on December 9, 2021. The issue is that like most things in life, it’s obvious to see the fault after the fact. Not so obvious until then.

Why was Log4j used?

There are two main reasons. One, it’s free/open source. It means companies can use it without paying a lot of money. Two and more importantly, it works well. Log4j has been around for a long time and has been extremely useful. As you can imagine, being useful and free has led to Log4j being used in a lot of services and applications.

Where is Log4j?

Here’s the current list of affected companies and growing.

Does it affect me and/or my business? I don’t have cleaning robots.

Yes, both. If you have any kind of network device, computer, IoT, service, or application, any company would be hard to find something that isn’t on the list above. There are also a lot of home/personal services and applications included so it impacts individuals as well. Think Smart TV, home automation, security systems, refrigerators, etc.

How did this happen?

Take for example the “free and useful” points from above. The developers were trying to be helpful and unfortunately, someone realized that helpful function could be abused.

When will it be fixed?

The good news is that it will be fixed. The bad news is each company from the list above is responsible for patching their Log4j files and getting updates out. Very bad news, an individual/company can’t scan for a file and replace it or block something on their firewall. We need to wait for every individual company to fix their application and update it.

Why is log4j “the single biggest, most critical vulnerability of the last decade”?

Unfortunately, given its usefulness, Log4j has had a great career in logging across industries, countries, government, home appliances, anywhere Java (the J of Log4j) might be used. It’s been implemented far and wide.

What can I do?

Update and patch your software often.

If you are concerned about your cyber risk or don’t feel like you know where to start with cybersecurity, look no further than CRI Advantage. We want you to feel confident in their cybersecurity procedures and trust that your data is secure and protected. That’s why for over 20 years, we have provided governmental and private organizations with cybersecurity experts to help guide their processes, identify weaknesses, and protect them from cybersecurity threats.

Contact CRI Advantage to book your cybersecurity consultation.

More about the Author:

As an experienced Information Security professional, Leo has focused on IT Security Operations, IT Governance, Secure Development, Compliance, Risk, and Privacy. His experience blends a diverse mix of small and Fortune 100 companies and a real-world understanding of the challenges and opportunities of PCI, SOX, PII, HIPAA, NIST, and International regulatory requirements.