Security researchers and officials, including the director of cybersecurity at the National Security Agency, are sounding the alarm about a critical bug that could allow hackers to take remote control of targets' devices. The bug stems from a widely used logging tool called log4j, used in applications made by some of the largest technology companies in the world. The flaw was first detected in Minecraft, which is owned by Microsoft, but could also extend to companies including Apple, Twitter, and more, researchers say.
“Log4j is a very popular logging package for Java. It is very powerful and flexible and, even from my own experience, is used in almost every Java application that I have ever encountered ... The exploit is actually unbelievably simple — which makes it very, very scary at the same time," Bojan Zdrnja, senior instructor at SANS Institute, told Vice.
Logging tools record almost all activity that occurs when software is running, which allows developers to go back and fix the inevitable problems that crop up. This particular vulnerability could allow a remote attacker to craft specific messages that once logged, direct the computer to download code giving them complete control of the system.
"The log4j vulnerability is a significant threat for exploitation due to the widespread inclusion in software frameworks, even NSA’s GHIDRA," NSA cybersecurity director Rob Joyce tweeted Friday, referring to an NSA open-source software project.
Security company CloudFlare determined the log4j bug was "so bad" that CEO Matthew Prince said the company is rolling out protections to all CloudFlare users by default. "But, no matter what we are able to do, we will not be able to fully protect against all exploits of #Log4J because there are so many ways things can get logged," Prince tweeted Friday. "Critical to patch your Log4J systems.
Correction: This story has been updated to correct the names of Bojan Zdrnja and Matthew Prince. This correction was made Dec. 10, 2021.
This story has been updated to clarify how the vulnerability can be exploited.