patch

What is the Log4j Vulnerability?

Log4j is a widely-used library of log files for applications written in the Java programming language. It copies down everything that happens when a Java program runs. NPR spoke to Andrew Morris, founder and CEO of cyber intelligence firm GreyNoise, who described Log4j as “…a modular component that's used in many, many different kinds of software. And its job is... just basically recording things that happened and writing them to another computer somewhere else.” In December of 2021, Log4j was found to be vulnerable to remote code execution.

Put more simply, Log4j is a vulnerable logging library that allows attackers to take control of remote devices running Java software. This represents a severe security risk. Gadgets 360 reports that "the Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade," said Amit Yoran, chief executive of Tenable, a network security firm, and the founding director of the US Computer Emergency Readiness Team.

One of the most popular programs affected by this vulnerability is Minecraft. John Hammond, a noted cybersecurity researcher, recently posted a video showing how Log4j could be exploited in Minecraft, allowing a remote user to access the calculator of a system (proving that any other program or command could also be run). Tech Times posted an article detailing how Minecraft users can defend against this threat.

Unfortunately, Minecraft is not the only vulnerable software. Speaking to CNET, Nadir Izrael (CTO and co-founder of IoT security company Armis) said that “generally speaking, any consumer device that uses a web server could be running Apache. Apache is widely used in devices like smart TVs, DVR systems and security cameras. Think about how many of these devices are sitting in loading docks or warehouses, unconnected to the internet, and unable to receive security updates. The day they're unboxed and connected, they're immediately vulnerable to attack."

To mitigate this threat, users should continue to install all security patches and updates as soon as possible. As companies roll out patches to this vulnerability, it is important to stay on top of those updates!

The Return of PunkSpider

PunkSpider is a tool that automatically crawls the internet searching for vulnerable websites. It then lists those websites and their vulnerabilities in a public database with the intention of creating a more secure online world. It was originally launched by developer Alejandro Caceres and his company Hyperion Gray, but was eventually shut down. It is slated to return at Defcon in August of 2021. But what does this really mean for vulnerable websites?

When asked about his intentions with this tool, the developer said “wouldn’t it be cool if I could scan the entire web for vulnerabilities? And to make it even more fun, wouldn’t it be cool if I released all those vulnerabilities for free? I knew it was going to have some kind of implications. And after I started thinking about it, I really thought they might be good” (Caceres, WIRED article).

The other side of the argument comes down to timing. Regardless of the good intentions, “bad actors can exploit the vulnerabilities faster than administrators can plug them, leading to more breaches” (Karen Gullo, email to WIRED).

This raises the question: should a tool like PunkSpider exist? Should those vulnerabilities be made public? Will this lead to more ransomware attacks? Caceres responded to these concerns by saying “you know your customers can see [the vulnerabilities], your investors can see it, so you’re going to fix that s*** fast.”

What do you think about PunkSpider? Leave a comment below. Thanks for reading!