Tuesday, December 21, 2021

Is Log4j the security bug from hell?

I'm getting multiple people asking.  The short answer is that this is very, very bad.  However, for most readers there's nothing they can (or should) do.

The long answer is, well, long.  Security guru Bruce Schneier thinks that it's really bad.  Lawrence has an excellent post for the non Security nerd that goes into some depth on why this is so bad.  It will also be obvious to you why there's nothing you can do about this (unless you're a professional IT Security Geek).

The medium length answer is that Log4j is an open source logging program included in just about everything on the Internet.  Logging is A Good Thing, because if someone messes around with your system the logs will tell you a lot about what they were up to.  However, Log4j doesn't check the data that it writes to the log file, and in particular allows a malicious attacker to include executable code that the system will run.  So an attacker can attempt to log in using a made up username that executes all sorts of malicious commands.  It's basically an Internet-wide Bobby Tables situation:


And like I said, there's pretty much nothing you can do.

3 comments:

Remember your manners when you post. Anonymous comments are not allowed because of the plague of spam comments.