Log4Shell, the Java vulnerability that shakes the Internet, has made some experts talk about a potential “Cyber Apocalypse”.
It was discovered by Alibaba in November in the video game Minecraft, and is now running for cover.
Calm down, there are too many words to explain: Log4Shell, Java, Alibaba, Minecraft. And above all, what is happening that is so risky for the Net? To the extent that it is said to be “one of the worst Internet vulnerabilities ever”?
Let’s try to put some order, answering all the doubts and questions that this news may have raised.
Log4Shell, the Java vulnerability discovered on Minecraft
Let’s start with Minecraft. That is from a highly successful and long-lasting Microsoft video game, launched in 2011.
Now let’s move on to Alibaba. On November 24th, analysts of the Chinese giant discovered a flaw in Log4j, a Java utility from Apache, right in the famous Microsoft game.
Log4j and Log4Shell: what they are
But what is Log4j? It is an open source tool (i.e. with non-proprietary code) developed by Apache, used by many software programmers with Java language.
Java is the most used programming language in the world, for a huge amount of programs and applications.
Log4j allows you to write the so-called logs in the software, that is the status of the software itself. This allows you to follow the development of the software, recording progress, performance, problems and solutions. The history of the software, in short.
Here it is Alibaba experts discovered a vulnerability in the logs, called Log4Shell. Which allows any malicious people to make the machine perform the operations they want.
Eg? Marco Ramilli, CEO of Yoroi, explains this to his colleagues: “Anything. Right now what we see is that attackers use this vulnerability to mine cryptocurrencies ”(ie the operation that allows you to create cryptocurrencies). “But they could do anything: enter a company’s servers, see what’s inside, steal trade secrets, or decide to launch ransomware attacks to monetize their control of the systems.”
The risks
The risks are very high because, summarize the experts, “if you use Java you probably use Log4j”.
Log4j runs on 3 billion devices. It is distributed on millions of servers around the world, involving giants of the caliber of Amazon, Apple, Microsoft and Twitter.
In short: the Log4Shell vulnerability is a potential security risk for corporate and government network servers. But also for virtually all computers and mobile devices out there. This is why some have spoken of a potential “computer apocalypse”.
For Ramilli, the solution to vulnerability is a race against time. In fact, “malicious hackers could spread corrupted links and through this vulnerability open backdoors on people’s devices, phones, tablets, any object connected to the network. And once a backdoor is opened, one can do whatever he wants. “
Maximum severity
On a scale of 1 to 10, the severity of the Log4Shell vulnerability was rated as grade 10. It is classified as “one of the worst computer weaknesses discovered in recent years”.
This was done by the Apache Software foundation, the non-profit organization that has been developing open source software projects since 1999.
The statements
Meanwhile, Adam Meyers, vice-president of Crowdstrike, a US cybersecurity company, said: “The internet is on fire right now: technicians are scrambling to repair the servers while others, malicious, are trying to exploit the flaw “.
Our fledgling National Cybersecurity Agency led by Roberto Baldoni also took part. Regarding the flaw, Log4Shell spoke, in a note, of “a vast and diversified attack surface on the entire internet network.
The technicians of the National Cybersecurity Agency, in constant contact with the corresponding European and international agencies, recommend, given the danger of the vulnerability, to minimize its exposure on the internet by applying the necessary measures to their servers in the shortest possible time. “.
Apache releases the patch
Minecraft alone, the game on which the Log4Shell vulnerability was discovered, has something like 141 million users.
Because of this Apache Software Foundation rushed to the rescue immediately, releasing an emergency security update that corrects the serious flaw. And Microsoft took care of the specific fix for Minecraft.
It remains to be seen, in the days leading up to these releases, how and to what extent the hackers were able to act.