Open-source software like Log4j is used in so many products and tools that some organizations don’t even know which pieces of code are on their computers. In addition to popular games like Minecraft, it’s used in cloud services like Apple iCloud and Amazon Web Services, as well as a wide range of programs from software development tools to security tools. Logging is a fundamental feature of most software, which makes Log4j very widespread. One of the major concerns about Log4Shell is Log4j’s position in the software ecosystem. There is a very low bar for using this exploit, which means a wider range of people with malicious intent can use it. I was able to reproduce the problem in my copy of Ghidra, a reverse-engineering framework for security researchers, in just a couple of minutes. It is relatively simple to exploit Log4Shell. This opens the door for nefarious activities such as stealing sensitive information, taking control of the targeted system and slipping malicious content to other users communicating with the affected server. Log4j allows third-party servers to submit software code that can perform all kinds of actions on the targeted computer. Unfortunately, this kind of code can be used for more than just formatting log messages. To do so, the Log4j server has to communicate with the server holding the real names. This feature allows Log4j to, for example, log not only the username associated with each attempt to log in to the server but also the person’s real name, if a separate server holds a directory linking user names and real names. Log4Shell works by abusing a feature in Log4j that allows users to specify custom code for formatting a log message. For example, in the online game Minecraft, Log4j is used by the server to log activity like total memory used and user commands typed into the console. Similar diagnostic messages are used throughout software applications. It also records that event in a log for the server’s system administrators using Log4j. The web server running the domain of the web link you tried to get to tells you that there’s no such webpage. It’s open-source software provided by the Apache Software Foundation.Ī common example of Log4j at work is when you type in or click on a bad web link and get a 404 error message. Log4j records events – errors and routine system operations – and communicates diagnostic messages about them to system administrators and users. Cybersecurity & Infrastructure Security Agency director Jen Easterly called Log4Shell ‘the most serious vulnerability I’ve seen.’ Kevin Dietsch/Getty Images News What does Log4j do?
0 Comments
Leave a Reply. |