A single piece of software used commonly to record often mundane happenings on a server or application is now responsible for IT folks scrambling to look for loopholes in their cloud services, software programs and connected devices.
From the popular Microsoft Minecraft game to cloud services from Google and Amazon, many of the digital content and services people enjoy today rely on foundational pieces of code, including this little logging tool called Log4j.
Just take a look at the list of known items affected, according to researchers in the Netherlands. Most importantly, it includes a number of cloud service providers, network equipment vendors and cybersecurity vendors as well.
If you were a hacker, yes, you would be quick to start scanning for organisations that are slow to patch up their systems to batten down the hatches.
That’s because, once you’re in, you have control of the system, possibly from a very deep level, to see what the victim will be trying to do next. From there, you evade and keep hidden until it’s time to, say, steal data or lock up a system for ransomware.
Not surprisingly, many cybersecurity companies have found increased activity – up to hundreds of intrusion attempts per minute – from hacker groups. They have been given a golden opportunity here.
In response, governments around the world, including in Singapore, have also been quick to remind businesses to update their software to keep out attacks. Many businesses have sprung into action to look for vulnerabilities.
Unfortunately, the issue is not just about patching up one’s server software – that itself is a painful thing, if you ask any IT administrator – it has to do with first looking for all the services and devices that depend on this piece of code that has now presented a loophole into their systems.
Indeed, the difference between this Log4j loophole and others that are discovered daily is its sheer ubiquity.
Since the open-source Log4j code, maintained by the nonprofit Apache Software Foundation, is used so commonly and as a foundational element in much of today’s IT infrastructure, the impact of a vulnerability is a lot more widespread.
With so much interconnected today, it is not easy to simply shut down one service, get it back online and hope everything else connected to it goes on running.
Think of a cloud service that goes offline. It affects the applications that are hosted there, which in turn affects many users down the line, who may be supporting others with their own applications and services.
And updating is not as simple as pressing an update button. Some software or devices that use Log4j might require you to get the patches from vendors, so you have to wait for those vendors to deliver the update.
With others you may try to update the individual Log4j code yourself or, as a temporary fix, use a Web application firewall (WAF) to block off access to potential intruders, according to cybersecurity companies such as Mandiant.
Increasingly, as more complex systems get set up and interlinked, any foundational element that gets exposed will cause widespread vulnerability and disruption.
Like it or not, this is part of the experience for today’s software-driven IT world. Software does eat up the world, to paraphrase a popular saying.
The good news is that at least Log4j was based on open source code. When there’s a vulnerability, it’s quickly known to all who use it, which means everyone jumps in to find a solution, as is the case now.
As an engineer friend of mine told me, imagine if this were a piece of proprietary software and the company behind it had hidden it and taken a long time to offer an update. That would make things a lot worse.