I’ve seen a bunch of totally bananas takes in the news on the vulnerability in the Java library known as Apache Log4j (log-for-jay, logforge, let’s call the whole thing off). If you’re like me and have non-technical family and friends who may have out of body experiences when hearing the words “cyber”, “vulnerability”, “cloud” and the like, these stories may or may not have created additional distress in your life—or they sure will over the next few weeks.
So let’s talk about what Log4Shell is in a way that we can share with mom, dad, grandma and grandpa that will keep them from forwarding you random infosec memes that have leaked into their Facebook feeds with panicked emoji.
Log4j is, let’s face it, one of the most boring pieces of code in the world. It logs things. That is all it’s supposed to do-it’s a software clerk keeping the books on it’s told to keep the books on.
Somebody decided to use it for MineCraft chat, and that was an example of why game developers are to security like tennis balls are to Formula One racing—totally unrelated until they wander into places they shouldn’t be, and then a hazard to all. Log4 J can do that, but should it, really? No.
All I can figure is that at some point someone on the Log4J team got bored with the boring job Log4J has and decided, “Hey, what if we could make Log4J do *extra things* by talking to other software that has nothing to do with what we’re logging and inject that magically into the logs? And, like, make it able to do things triggered by what’s in the messages we get?” So in Log4J 2 Electric Boogaloo they added lookups and message substitution and suddenly we had a logger that could see a message to a web server from somebody in Russia and decide to download a program that installs the computer equivalent of the flu, or Covid, or spontaneous human combustion
But this only can happen on things that have Log4J, which (probably) doesn’t include your grandma’s Jitterbug phone or your toaster or your personal computer or pretty much anything that is not running Java 7 or 8 software in a way that talks to the Internet. It will not allow the Russians to hack your pacemaker (probably). It will not make your television tune to OAN or Fox (that is what your uncle does-don’t let him have the remote).
So, dispel those concerns of sudden disruption of daily life. That will come later, when the bad guys pivot on the back doors they dropped this week on all the hospital billing systems and bank sites in the world that run on WebLogic or whatever and steal all the data and their identities and money and wipe every hard drive on the planet.
Merry Christmas.
Fancy Bear Friends 