A vulnerability was found in Log4j, an open-source logging library commonly used by apps and services across the internet. If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software.
Log4Shell works by abusing a feature in Log4j that allows users to specify custom code for formatting a log message. This feature allows Log4j to, for example, log not only the username associated with each attempt to log in to the server but also the person’s real name, if a separate server holds a directory linking user names and real names. To do so, the Log4j server has to communicate with the server holding the real names.
Hackers are scanning through the internet to find vulnerable servers and setting up machines that can deliver malicious payloads. To carry out an attack, they query services (for example, web servers) and try to trigger a log message (for example, a 404 error). The query includes maliciously crafted text, which Log4j processes as instructions.
It is hard to know whether Log4j is being used in any given software system because it is often bundled as part of other software. This requires system administrators to inventory their software to identify its presence. If some people don’t even know they have a problem, it’s that much harder to eradicate the vulnerability.
Another consequence of Log4j’s diverse uses is there is no one-size-fits-all solution to patching it. Depending on how Log4j was incorporated in a given system, the fix will require different approaches. It could require a wholesale system update, as done for some Cisco routers, or updating to a new version of software, as done in Minecraft, or removing the vulnerable code manually for those who can’t update the software.