Everybody get ready to patch up. What started off as a security issue for fans of the immensely popular video game Minecraft has quickly transformed into a full-blown, internet-wide crisis.
In short, a particularly severe vulnerability in the broadly-used Java logging library Apache Log4j has been discovered—the likes of which affects droves of widely used platforms.
The bug initially gained widespread attention Friday as an issue affecting players of Minecraft’s Java Edition. In a PSA posted Friday, company officials warned players that the security flaw needed attention immediately. “This vulnerability poses a potential risk of your computer being compromised, and while this exploit has been addressed with all versions of the game client patched, you still need to take the following steps to secure your game and your servers,” the statement reads, outlining a step-by-step guide for patching.
The vulnerability, which has been nicknamed Log4Shell, has been formally identified as CVE-2021-44228 by the Apache Software Foundation and has apparently been given a severity rating of 10 on the Common Vulnerability Scoring System scale—the highest possible rating.
But, unfortunately, as previously noted, Minecraft isn’t the only application to be threatened by the bug. In fact, we may have a pretty big problem on our hands here—as reportedly “millions” of applications use log4j, including some of the web’s largest platforms (see: Apple, Twitter, Cloudflare, Valve, and others). Cybersecurity experts took to the internet Friday to express dire concern for the vulnerability. They are pretty much begging companies to patch their systems immediately.
Robert Graham, a cybersecurity expert, temporarily changed his Twitter username to “THREAT LEVEL RED FIX YOUR LOG4J.” Famed British hacker Marcus Hutchins called the vulnerability “extremely bad.” And even the cybersecurity director at the NSA, Rob Joyce, chimed in: “The log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA,” he claimed.
Reports of active exploitation have also begun to trickle in. GreyNoise, a security firm, wrote on Twitter that it was seeing active exploitation of the bug: “GreyNoise is detecting a sharply increasing number of hosts opportunistically exploiting Apache Log4J CVE-2021-44228. Exploitation occurring from ~100 distinct hosts, almost all of which are Tor exit nodes.” Other security companies have made similar assessments.
Further information on the vulnerability and mitigation steps can be found on Apache’s website. If your organization uses the log4j library, security experts are recommending that you upgrade to log4j-2.1.50.rc2 immediately. Better do it! This is just the beginning for this extremely dangerous vulnerability.