Log4Shell, an internet vulnerability that affects millions of computers, involves an obscure but nearly ubiquitous piece of software, Log4j. The software is used to record all manner of activities that go on under the hood in a wide range of computer systems.
Jen Easterly, director of the U.S. Cybersecurity & Infrastructure Security Agency, called Log4Shell the most serious vulnerability she’s seen in her career. There have already been hundreds of thousands, perhaps millions, of attempts to exploit the vulnerability.
So what is this humble piece of internet infrastructure, how can hackers exploit it and what kind of mayhem could ensue?
Cybersecurity & Infrastructure Security Agency director Jen Easterly called Log4Shell ‘the most serious vulnerability I’ve seen.’
Kevin Dietsch/Getty Images News
What does Log4j do?
Log4j records events – errors and routine system operations – and communicates diagnostic messages about them to system administrators and users. It’s open-source software provided by the Apache Software Foundation.
A common example of Log4j at work is when you type in or click on a bad web link and get a 404 error message. The web server running the domain of the web link you tried to get to tells you that there’s no such webpage. It also records that event in a log for the server’s system administrators using Log4j.
Similar diagnostic messages are used throughout software applications. For example, in the online game Minecraft, Log4j is used by the server to log activity like total memory used and user commands typed into the console.
How does Log4Shell work?
Log4Shell works by abusing a feature in Log4j that allows users to specify custom code for formatting a log message. This feature allows Log4j to, for example, log not only the username associated with each attempt to log in to the server but also the person’s real name, if a separate server holds a directory linking user names and real names. To do so, the Log4j server has to communicate with the server holding the real names.
Unfortunately, this kind of code can be used for more than just formatting log messages. Log4j allows third-party servers to submit software code that can perform all kinds of actions on the targeted computer. This opens the door for nefarious activities such as stealing sensitive information, taking control of the targeted system and slipping malicious content to other users communicating with the affected server.
It is relatively simple to exploit Log4Shell. I was able to reproduce the problem in my copy of Ghidra, a reverse-engineering framework for security researchers, in just a couple of minutes. There is a very low bar for using this exploit, which means a wider range of people with malicious intent can use it.
Log4j is everywhere
One of the major concerns about Log4Shell is Log4j’s position in the software ecosystem. Logging is a fundamental feature of most…