Why is Log4J Such a Big Deal?
Log4J allows hackers to do anything they want on nearly any computer.
Under normal circumstances, I would have put out another brief yesterday, but because of the holiday, I did not. At this time of year, a lot of outlets slow down their publications and focus on year-end retrospectives. Retrospectives bore me, and we won’t have a lot of useful information about last week until the holidays are over. I’ll include last week and this week in the next brief. I did promise an explanation of why the Log4J vulnerability is such a big deal, and I now have enough information to explain it.
Hopefully, the existence of a vulnerability known as “Log4J” or “Log4Shell” is not news to you. (If it is news to you, you should subscribe to The OSIRIS Codex immediately, or read the emails you are already receiving.) The Log4J vulnerability is possibly the worst vulnerability ever discovered.
If you are a cybersecurity professional or manage a web server and you aren’t patching, you really, really should be. If you are an average user, however, you might wonder why Log4J is such a big deal. Let me explain in simple terms.
Using Libraries in Programming
To explain, we have to get into the guts of programming a little bit, but I’ll use a metaphor I hope you will understand. Take writing an essay as an example. When writing an essay we often need to express the same idea over and over again. Writing the same thing repeatedly is not only tedious for the writer but boring for the reader, too. Good writers use aspects of language to avoid tedium and boredom.
The most common solution is to create a new word or neologism. Combine “web” and “seminar” to make “webinar” rather than saying “seminar everyone can attend online” over and over again. Alternatively, use SCUBA to mean “self-contained underwater breathing apparatus” long enough, and you eventually get “scuba divers.”
You can also cite or quote other sources. An unfortunate number of essays start with “According to Merriam-Webster…”, which is an acceptable way to use other people’s writing in our own. Dictionaries and encyclopedias are explicitly written for people to use in their own lives. In academic writing, we also use citations.
In programming, the need to do tasks repeatedly is like the need to express the same idea over and over again. If the task is simple, like printing text to a display, the language itself will have a command built-in. Commands are like words, which the language understands. Most common computer languages are evolving like human languages and get new commands all the time.
Another solution is to use a computer “library.” Libraries are like dictionaries and encyclopedias for computer programming tasks. Computing libraries exist to allow people to repeat the same task easily, without writing out the entire thing.
Programmers use libraries by “calling” the library, which tells the program to use the code someone else wrote. Calling the library is like using a citation or a link, but more in-depth. A reader does not have to read all the citations or links (and I know you don’t) but calling a library forces the program to use that code.
Log4J is an Important Code Library
The Log4J vulnerability exists in the Log4J library for Java and Apache. Java is one of the most common programming languages online. Apache is among the most common ways to access websites.
Log4J is an easy way for Java and Apache programmers to have their programs write "logs." Programmers are just like you; they run programs, and then wonder “what just happened?” Logs record what programs did, allowing people to see what happened.
Most programs have logs even if you don’t see them. Logs allow programmers and users to diagnose problems and see if the program is doing what it is supposed to do. The program you are reading this essay with is definitely logging what it is doing in the background so that if the program crashes you can go in and see why.
The vulnerability in Log4J and Apache is everywhere because the library is everywhere. It’s possible Substack uses Log4J, and even if it doesn’t, odds are high you visit a website every day that uses Log4J. But Log4J’s ubiquity is only half the problem.
Unpatched Log4J Allows Hackers to Create a “Reverse Shell”
Log4J is a catastrophic problem because it allows hackers to create a “reverse shell” into the “host” computer. The host computer is the computer that is running the program that uses Log4J. In most cases, the host computer we care about is the “web server,” or the computer that hosts websites using Apache.
Reverse shells allow someone to run programs on the host computer. Shells allow a user to enter commands to a computer, usually through a command line. Establishing a reverse shell allows a client to send commands to the host through the shell.
Reverse shells are a lot like the key to your house because whomever has it determines whether it is good or not. Reverse shells are important and can be good because it is a tool to use computers remotely. When bad people get reverse shell access, they can do bad things.
For our purposes, the process of getting a reverse shell using Log4J is unimportant. If you want to know, Hak5 has a tutorial video you can follow. The fact that the whole video is less than 10 minutes long, should indicate how relatively easy this exploit is.
Log4J Is a Big Problem Because it is Common and Severe
The reason Log4J is such an issue is a combination of how frequently Apache servers use the Log4J library, and how frequently bad hackers can use it to get a reverse shell. Log4J is kind of like discovering that most home locks have a weakness that allows anyone to unlock them. By the way, before someone points out that this is why old things are better, please note that most home locks do have a weakness that allows someone to unlock them.
The problem is not that Log4J allows hackers access to your computer, but that hackers could control web pages to do bad things to your computer. Most people probably do not run an Apache Server on their computer, and without the server, the vulnerability in Log4j is not on your computer. However, the ability to run a reverse shell on a web server allows hackers to install malware on the web server, and perhaps have it install malware on your computer. For the average person, Log4J makes personal security that much more important.
Log4J is a big deal we should take seriously, but for most people, the important thing is to practice good cybersecurity hygiene. Check to make sure nothing you are responsible for uses Apache or Log4J; there are more instances out there than you may realize. Otherwise, there is not much you can or need to do to protect yourself from Log4J vulnerabilities.
Staying safe online is like staying safe everywhere. One new problem isn’t too bad if you’re otherwise safe. If you’re operating on the margin, every little problem can be disastrous.
David Benson is a Professor of Strategy and National Security focusing on cyberstrategy and international relations. You can reach him at dbenson@osiriscodex.com.
To get more insightful analysis like this in your inbox at no cost please subscribe.
Ask a question! Raise an objection! Leave a comment!
Another great piece, David, thanks! Do you have a fav primer on cybersecurity hygiene? I'm aiming to boost my game heading into 2022.