January 29, 2022

4 questions about Log4shell, the flaw that is shaking the world

A 0-day flaw allows remote code execution without authentication and access to affected servers. It’s a godsend for pirates.

Computer researchers alerted publicly on Friday, December 10, 2021 on an extremely serious flaw affecting Apache Log4j, a particularly widespread Java library (a computer language).

This vulnerability allows remote code execution without authentication and access to affected servers. This is a dream vulnerability for attackers such as ransomware operators. What to give a cold sweat to the editors and users of these services like Apple or Steam, who spent the weekend to make the inventories of their infrastructures to check the exposure.

For further

Why is the Log4j flaw serious?

The fault is said to be 0-day (hear “zero days”). These flaws are particularly feared in IT security, because they concern vulnerabilities that have not yet been identified. Called CVE-2021-44228, and stamped with the nicknames Log4Shell and LogJam, it therefore had no patch at the time of its discovery. And all versions from 2.0 to 2.14.1 are affected. To put it another way, it is a large-scale flaw from which we could not protect ourselves.

The goals of a hacker can be multiple: to steal data, prevent a site or an application from functioning, paralyze systems and then demand a ransom… the list goes on. But to get there, the attacker must find a flaw in the computer systems he is targeting, a gateway. And the opportunity given by Log4Shell to execute code remotely without authentication and to access servers opens up almost limitless possibilities.

You can compare it to a burglar who would have the power to open your door and act freely in your home, without needing a key. Except that the lists (this one or that one) of vulnerable instances are dizzying: Minecraft (unsurprisingly, the game is coded in Java), Apple, Steam, Github, several Google services or even IBM software .

Is the Log4Shell flaw corrected?

Members of the Apache Software Foundation have developed a disaster patch to fix the vulnerability, version 2.15.0. Workarounds are also possible to reduce risks, as explained by the government center for monitoring, alerting and responding to computer attacks (Cert-fr) of the national information systems security agency (Anssi).

This fix is ​​far from a silver bullet, as the list of affected software is impressive, and it is not necessarily clear whether systems are vulnerable. A large part of the software is also still being analyzed, because many sub-services use Log4j libraries.

Suffice to say that many IT managers did not sleep much this weekend, between rushed audits and quick fixes. Faced with the risk of attacks, some such as the Canadian and Quebec governments have even chosen much more radical solutions and preventively closed not far from 4,000 sites.

Asked by the Canadian media La Presse, the Quebec minister for government digital transformation Éric Caire sums up the situation in these words: ” We have to scan all of our systems, because we don’t have an inventory. It’s like saying how many rooms in all Quebec government buildings use 60-watt bulbs. I do not know. So we go around the rooms and we go around the light bulbs to find out if it’s a 60 watt. It is a monk’s job. »

An inventory problem that is far from affecting only these governments in North America, and which presages many attacks in the coming weeks.

Since when was the Log4Shell flaw exploited?

According to Matthew Prince, CEO of IT security company Cloudflare, the first observed exploitations of the vulnerability date back to December 1, 2021, 9 days before it was made public. Without however observing massive exploitation of the vulnerability.

Who was attacked?

Difficult to answer precisely on the extent of the damage. So far, Check Point Software says it has seen an attempted attack on 44% of global systems. Several observers have also noted that hackers are already offering malware to attack the vulnerability.

Update 5:40 p.m. : addition of the names of affected services
Update 6.30 p.m. : addition of the last question

CyberGhost, Cyberwarre’s exclusive advertiser, is a premium VPN provider at affordable prices. It has thousands of secure servers spread across the world, allowing it to relocate its IP address and bypass geoblocks. CyberGhost does not keep any record of user activity. Its VPN application is available on all operating systems and connected devices and is the easiest to access on the market.

Learn more about CyberGhost’s VPN solution