The Log4J Exploit was originally discovered by an employee of the Alibaba Cloud Security Team named Chen Zhaojun. It was a zero-day exploit, meaning that when it was discovered there was no fix for the issue. While the issue had no fix for only 12 days, it still persists as not all versions of the program have been updated to the one with the fix.
Office building where the bug was discovered
The first step is the hacker sending a command to the server (computer) which the Log4J program is running on.
The second step is the command going to the Log4J program - remember, we are still in the server (the Log4J program is just a specific spot in the server).
Now that Log4J has looked at the command, it reaches back to the hacker for more commands to run. This is where things can start to get bad.
Diagram of how virus works
This is the fourth step of the hack taking place. After getting more commands from the hacker, the virus now runs the new code.
The fifth step of this virus is returning the results from the command to the hacker. This will typically include things such as passcodes and personal information of normal users to the app.
Diagram of how virus works
This exploit was very big and impacted many people. Lots of large companies were targeted or had to shut down their websites in response to the attacks. For days, many devoplers were very worried about what was happening.
Breaking news headline on story
Log4J was made by a sweedish programmer named Ceki Gülcü. He sold the software to Apache, and it is now part of the Apache Logging Services.
When the bug was discovered, the software was owned by Apache. One reason why the bug had such a bad impact is because of how long it was around for.
Home city of Ceki Gülcü
Out of all the companies effected, the one where the most damage was done was in Minecraft. Hackers used the exploit to obtain in-game items worth thousands of dollars and shut down servers (communities in Minecraft) with hundreds of thousands of players.
Minecraft banner image
First Paragraph: Inciting Factor
The Log4J exploit was a massive glitch that allowed viruses to be installed on companies’ computers. It affected lots of people and lasted much longer than it should have. This virus took advantage of a security issue in a program called Log4J, which is used in the coding language Java (an extremely popular coding language) and helps to log information (hence the log in Log4J). The program logs information such as website visits, posts on platforms (like a tweet in Twitter) and other data. In an IBM analysis article, the author writes that, “Hackers … [could] wreak havoc by typing malicious commands into public forms like chat boxes and login pages” (IBM Security Radar). This quote is touching how easy it was to put the virus on the computers of companies. In it, it states that hackers would type commands into “public forms like chat boxes and login pages”, such as a Google search box or reply form on Twitter. Then, after hitting the “search” or “submit” button, the commands would get sent to the company’s computers and run, downloading the virus. The reason why it was so easy to send the virus to the computers is because the original creators of Log4J never thought that technology like this would be possible. Log4J was made a long time ago, and the creators of the program never updated it to account for future technologies after making the program. Not only did the creators make a mistake, but also the people using the program themselves. In the IBM analysis article, the author writes that, “Log4J is deeply embedded in the software supply chain” (IBM Security Radar). This is saying that the people (or companies) using the Log4J program wrote lots of code centered around the program itself. But, when the program was fixed (and changed), the companies and people using Log4J needed to re-write lots of code that was now incorrect because of the differences in the new and old versions. This created a massive delay in fixing the glitch allowing hackers to keep on causing chaos for much longer than they normally would have been able to. Most exploits will only last one or two days until the problem is fixed, but this one lasted almost a week. In conclusion, the Log4J exploit was a glitch in a program called Log4J that let hackers send commands to companies’ computers to download a virus. This exploit happened because the creators of the program didn’t update the software to keep pace with new technology. And, because the program was used in many lines of code, it took much longer than it should have to fix the issue.
Second Paragraph: Consequence
The Log4J affected many people and caused hundreds of thousands of dollars in damage. In an emergency post by the National Cyber Security Centre, the organization writes that, “a wide range of people, including organisations, governments and individuals are likely to be affected by it” (NCSC). This shows how broad the effects of this glitch were. Even government websites, such as the IRS, needed to be taken down until the issue was fixed. And before people even knew that the issue existed, everybody was vulnerable. According to one article, fifty eight percent of online companies were affected by this glitch (Goslin). Not only did this issue affect many parties, but it also caused lots of damage to be done. In an emergency post written by Minecraft, the company explains how compromising this issue is, writing, “this vulnerability poses a potential risk of your computer being compromised” (Mojang). While this message is meant to directly address Minecraft players, it can also be applied to anyone visiting a website and owners of websites themselves. This is because almost all big websites use Java, and almost all websites that use Java use Log4J. And, because of the way Minecraft is coded, it acts somewhat like a website. Therefore, it can be reasonably assumed that users of any website which uses Java could have their computers compromised. And, when a virus is installed onto a computer, it can gather personal information such as passcodes, bank account details and search history. Plus, most viruses will destroy the computer’s hard drive after collecting this information and sending it to the hacker, meaning that many people had to buy whole new computers and protect themselves against identify theft. In conclusion, the Log4J exploit gave hackers access to many people’s computers and caused many websites to shut down because of the exploit.
Third Paragraph: Never Again
The Log4J exploit still has not been fully taken care of. While companies using Java are slow to fix the issue, companies using other coding languages like Python and JavaScript and taking steps to make sure that something like the Log4J exploit never happens to users of their coding languages. One example of this is the new easy availability security audits. According to the NPM website (a free tool in JavaScript which helps people manage the programs they are using like Log4J), a security audit is, “an assessment of package dependencies for security vulnerabilities” (Karrays and Thomson). This means that people can now scan the code that they are using for security issues such as the ones found in the Log4J exploit. And, if an issue is found by the scan, the program will try to fix it. If it cannot do this, it will alert the coder that there is a security risk which needs to be taken care of. This scan runs on all programs the coder is using, not just new ones. But, this is only available for people coding in JavaScript, and not for people coding in Java (the coding language that has Log4J). According to an article on Wired, “after a year, a quarter of the downloads [are] ... still vulnerable” (Newman). This means that a quarter of affected websites have still not fixed the glitch that allowed for hackers to use the Log4J exploit, leaving about 14.5 percent of online websites are still open to attack. But, people are trying to get the word out that these websites need to update their software, mainly by writing articles such as the one cited above. In conclusion, while other coders using coding languages have reacted to this issue and tried to put systems in place to stop similar exploits, many users of the Log4J still have not fixed the issue, leaving themselves vulnerable to attacks by hackers.
Works Cited: Text and Link
Goslin, Hope. “58% of Orgs Are Using a Vulnerable Version of Log4j.” Veracode, 15 Dec. 2021, www.veracode.com/blog/security-news/58-orgs-are-using-vulnerable-version-log4j.
IBM Security Radar. “What Is the Log4j Vulnerability? | IBM.” Www.ibm.com, www.ibm.com/topics/log4j. Accessed 1 Feb. 2024.
Karrays, Luke, and Edward Thomson. “Auditing Package Dependencies for Security Vulnerabilities | NPM Docs.” Docs.npmjs.com, 2023, docs.npmjs.com/auditing-package-dependencies-for-security-vulnerabilities.
Mojang. “Security Vulnerability in Minecraft: Java Edition.” Minecraft Help Center, help.minecraft.net/hc/en-us/articles/4416199399693-Security-Vulnerability-in-Minecraft-Java-Edition.
NCSC. “Log4j Vulnerability - What Everyone Needs to Know.” Www.ncsc.gov.uk, 14 Dec. 2021, www.ncsc.gov.uk/information/log4j-vulnerability-what-everyone-needs-to-know.
Newman, Lily Hay. “A Year Later, That Brutal Log4j Vulnerability Is Still Lurking.” Wired, www.wired.com/story/log4j-log4shell-one-year-later/.
Document URL