About a week ago, the critical IT security vulnerability log4j was discovered, which allows attackers to smuggle malware onto servers. The data on the affected servers can be manipulated or stolen, and online services can be completely paralyzed, according to the fears of security experts. Companies and public authorities are particularly affected, including large companies such as Twitter, Tesla and Amazon. The German Federal Office for Information Security (BSI) has now published a cybersecurity warning of the highest level. The authority estimates the risk of the vulnerability being actively exploited as "very high". However, the exact number of affected software products and online applications is not yet known. Security experts, however, expect the extent to be enormous, as the vulnerability is in the much-used Log4j program library, which gives the vulnerability its name.
Program libraries can be thought of as a kind of code construction kit for developers. Simple commands do not have to be programmed over and over again, but can be embedded as finished components into the code. Log4j is used in many Java applications and logs the activities of a program while it is running. This allows errors to be evaluated later, for example. "Every company that runs Java software in its own infrastructure or in the cloud must act now and check whether it is affected by the security vulnerability," explains Johannes Späth.
Johannes Späth is one of the founders of CISPA start-up CodeShield. Like many IT security researchers and experts, he and his team spent the past weekend thinking about possible solutions to the problem. The result is a tool that can scan computer systems for the vulnerability. The Log4jShell Bytecode Detector analyzes so-called JAR files. "JAR files are compiled Java programs. Access to the source code is therefore not needed at all. This is especially relevant for software that was not developed in-house, i.e. third-party software - or for software that is in use."
Anyone affected by the security vulnerability urgently needs to apply updates, said CISPA faculty member Thorsten Holz in an interview with hr-inFO radio. Corresponding patches for the open source program library have already been released. Where an update is not yet possible, the systems must be specially monitored, Holz said. How often and by whom the vulnerability has already been exploited is not yet clear, he said. Log4jShell was first discovered on servers of the online game Minecraft.
Meanwhile, the CodeShield team is constantly working on improving the bytecode detector. The young company was already familiar with the detection of security vulnerabilities. Its core business is analyzing cloud infrastructures for vulnerabilities. "With our cloud model, we can determine which cloud resources are publicly accessible and what security vulnerabilities they contain."
It will be some time before the vulnerability is fixed in all affected applications, meaning Log4j could well be with us for a few more weeks – or even months.
translated by Tobias Ebelshäuser