If you hadn’t heard of Apache Log4j, chances are it’s on your radar now. In fact, you may have been using it for years. Log4j is a logging library. Imagine writing your daily activities into a notebook. That notebook is Log4j. Developers and programmers use it to take notes about what’s happening on applications and servers. For example, they may use it to troubleshoot a security incident, like if someone were to log into an application with the wrong password. Log4j might be used to record when the person logged in, to which application and the password they used.
Log4j is used by a very large percentage of the Java programs developed in the last decade for both server and client applications. Java is also one of the top programming languages used by businesses. That’s why, on December 9, 2021, when Chen Zhaojun of the Alibaba Cloud Security Team discovered CVE-2021-4428, a.k.a. Log4Shell, a high-severity vulnerability that affects the core function of Log4j, and a publicly available exploit, cybersecurity researchers sounded the alarm.
CVE 2021-4428 enables attackers to perform remote code execution, which means they can run any code and access all data on the affected machine. It also allows them to delete or encrypt files and hold them for ransom. Any function the impacted asset can do, attackers can do as well with the exploit. This means anything that uses a vulnerable version of Log4j to log user-controlled data can be attacked.
end partial quote from:
https://securityintelligence.com/posts/apache-log4j-zero-day-vulnerability-update/
The problem is that people have been saying that Java would always have security problems because they didn't deal with this issue enough when it was first designed as a computer language. So, the security issues have not gone away from the Java computer language since it's inception. However, this has become a real problem now for basically all computers on earth now that are connected to the internet and that also likely use HTML and other online software languages.
Here's the problem as I see it. It's possible that not all computers have Apache Log4j loaded on board. But, if the computers that do have it on board can be run remotely by people anywhere on earth it is theoretically possible that they could infect almost any computer connected to the Internet from a remote place by attacking the Apache Log4j on the computers on earth that do have this program on board. Not only could they infect all internet connected computers remotely they could also theoretically steal data and hold it for ransom of millions and billions of dollars. This might be what is actually going on with Amazon and Streaming services lately. They might have been forced to pay money for their own data held hostage by hackers (either individuals or nationally paid hackers various places around the world especially places where they will never be prosecuted for this like Russia or China.
This is the problem as I see it.
No comments:
Post a Comment