One topic is currently making headlines everywhere: log4j. A security hole discovered is titled as the “Fukushima moment of the software world” and similar. The whole thing rarely says anything to laypeople. However, you may also be affected. We’ll tell you what log4j and Log4Shell are and what exactly happened there.
log4j simply explained
In Java, the log4j framework is used for logging (logging) application registrations. Or to put it another way: log4j is a kind of bouncer who detects when you access a certain page or when you log in. This makes it relatively easy to keep a log. And precisely because log4j is so simple, the framework has developed into a de facto standard over the past few years.
Although log4j is a reliable pioneer, this bouncer is not entirely flawless. Logical: everyone has a bit of dirt. But what exactly is the problem?
If the framework logs a registration, this is “noted” in a logging library. It becomes problematic if, for example, your username contains a readable command. So if your username is not “Philipp” but rather “$ ruf_den_server_auf_auf_dem_mein_böser_code_ lies_und_führ_ihn_aus” – greatly simplified – log4j will be compromised without further ado.
What went wrong?
Typically, a logging tool should be able to handle such an attack. The panic seemed all the greater when the news of the security hole made the rounds. The Federal Office for Information Security (BSI) explains the problem as follows:
“The logging library is used for high-performance aggregation of log data from an application. The published vulnerability enables attackers from versions 2.10 to execute their own program code on the target system, which can lead to the target system being compromised. “
Federal Office for Security in Information Technology
The Log4Shell vulnerability can not only be used to reload additional malware, but also to exfiltrate confidential data. For this it is not even necessary to reload external malware, “so that this exploitation can be carried out with a (simple) request”.
Sources: own research; Federal Office for Security in Information Technology