Log4j: What’s going on, and should Aussie businesses be concerned?

log4j

Source: Unsplash/Sigmund.

This weekend, you may have seen a whole lot of tech chatter about log4j, vulnerabilities, exploits and chaos spanning the world wide web.

A vulnerability was unearthed in a piece of Java code in use across software applications all over the world, and malicious actors have been quick to take advantage of it.

The news had big names in tech, including Atlassian co-founder Mike Cannon-Brookes, sending love to the system administrators, engineers and security teams clamouring to patch their systems and protect their own users.

“It’s a doozy,” Cannon-Brookes tweeted.

But what is the log4j vulnerability, and what does it mean for Australian startups and small businesses? Here’s what you need to know.

What is log4j?

Log4j is a logging framework API written in Java and distributed under the Apache Software license. And it’s popular.

The code is used in all kinds of software applications all over the world, to log information about users’ IP addresses, browsers, requests made and pages accessed, for example.

It helps system administrators monitor whether software is running smoothly, and can also help with catching bugs when things go wrong.

This weekend, a vulnerability emerged in the log4j logging framework, putting any company that uses software using log4j at risk.

What problems does the log4j vulnerability cause?

The vulnerability in the log4j code essentially allows for remote actors to execute commands on servers. That can allow attackers to gain access to systems, request credentials and ultimately take control, if they wish.

The vulnerability is affecting some of the biggest tech companies in the world. It can be exploited in servers operated by Apple, Twitter, Cloudflare, Valve and Tencent for example.

Microsoft’s Minecraft is also reportedly being exploited.

To make a real-world analogy, one Twitter user compared the vulnerability to “giving the keys to your house to a random stranger … without even realising”.

Still confused? The Twitter thread above lays out what’s going on in relatively simple terms “for non technical people”.

Will it lead to more cyber attacks?

In a nutshell, yes. In fact Cynch Security co-founder Susie Jones tells SmartCompany it already has. Both attackers and researchers have been “crawling the web” over the weekend, looking for vulnerable systems, she says.

The vulnerability is relatively easy to discover, Jones adds, and anyone with an interest in cyber attacks — malicious or not — will likely be looking into it.

“Attackers are already evolving to get past defences as well, so this is likely to be with us for the foreseeable future.”

Should Aussie businesses be worried?

Again, in a nutshell the answer is yes. This is a global issue and Aussie businesses are not exempt.

Businesses most at risk of attacks are those that develop software or have internet-facing services, Jones explains.

If your business has any software that has access to the internet and is running Java “there’s a high likelihood you have a problem”, she says.

Java is used in many popular applications that a lot of businesses rely on, she notes, so it can be tricky for small businesses in particular to figure out whether they’re exposed.

“If you have external facing systems, strange outbound connections might give you a hint that your systems are impacted,” she adds.

“If you’re not sure, we recommend getting some help reviewing your systems.”

What can business owners do about it?

As this is such a wide-spread issue, affecting so many different systems, there is unfortunately no quick fix.

The first thing to do is try to figure out if any of your systems are running Java, prioritising those that can be accessed from the internet, Jones says.

Where possible, business owners should limit the capability for their internet-connected systems to open a connection to unknown locations.

Within the next few days, it’s important to keep an eye out for any security updates from software providers, and to implement them as soon as possible, Jones adds.

“If you can’t patch, look into ways to disable log4j features until a patch is available,” she says.

COMMENTS

Subscribe
Notify of
guest
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
YoYo
YoYo
1 month ago

Yes, this one is serious. The irony is that it’s not a bug, it’s a feature than can be exploited extremely easily. How bad entirely depends on how the logging is handled. But it shouldn’t be ignored.

If you have no idea if you are affected, you can disable the “feature” with an environment variable. Details on the Log4j website: https://logging.apache.org/log4j/2.x/security.html

If you don’t have technical staff to look at this, hire a consultant ASAP.