Security holes are an almost daily problem in the digital society. However, until now very few have had a scope comparable to "Log4Shell", rated as "critical" by multiple cybersecurity organizations worldwide, including the National Cybersecurity Institute (Incibe) and the National Cryptological Center (CCN-CERT). Spanish people. The reason is that it affects the Apache Log4j open source library, used by millions of companies and digital services, to which it is added that it can be exploited with extreme ease by cybercriminals.
The function of Apache Log4j is to create a log of the activities carried out by applications programmed in the Java language. The hole allows an attacker to insert lines of malicious code into that registry from outside, which opens the door for the system to run viruses, ransomware, data theft or almost any other type of infection occurs.
"Java is a programming language with which many of the programs and applications used on computers, web pages, etc. are created, so millions of users of hundreds of online services could potentially be affected", explains the Incibe.
Millions of users of hundreds of online services could potentially be affected
National Institute of Cybersecurity
The vulnerability is of the type zero day, as those that have been present in a system since its construction are called. "It is one of the most serious that I have seen in my entire career, if not the most serious," acknowledged Jay Gazlay, director of the US Cybersecurity and Infrastructure Security Agency. The Apache Software Foundation grants you a risk level of 10 out of 10.
The end users of programs and applications cannot patch the gap, a task that corresponds to the developers of each digital service. As cybersecurity organizations recall, what is necessary is to be extremely careful when it comes to keeping all programs and applications updated to the latest version, which will include the patch for Log4Shell.
The first patch was released on Friday and caused a hectic weekend in the technical teams of companies and institutions around the world. This Tuesday has been published a new update to mitigate the problem, because it could still be exploited even after installing the first one. However, the massive implementation of Apache Log4j, used for more than a decade, makes experts fear that the hole could be dangerous for quite some time.
Due to the ease of exploitation and the breadth of applicability, it would not be surprising that ransomware actors will begin to exploit this vulnerability immediately.
National Cryptological Center
"An increasing number of vulnerable products are expected to be discovered in the coming weeks. Due to the ease of exploitation and the breadth of applicability, it would not be surprising that ransomware they will begin to take advantage of this vulnerability immediately ", has warned the CCN-CERT, in charge of cybersecurity of Spanish public institutions.
The Log4Shell breach was discovered by Chen Zhaojun, a researcher at the Alibaba Cloud Security Team. An example of the ease of its exploitation has been in the videogames sector. Minecraft's servers were hacked with a simple chat message from its players, according to Marcus Hutchins, an expert in computer security.