“Simple! Java is very simple! Powerful! It is so powerful, isn't it?”
- From popular malayalam movie Premam.
A small piece of open source software written in Java called log4j was in the news around the world for the wrong reasons. It caused one of the worst affected computer vulnerabilities of recent years.
What is Log4j ?
Log4j is a piece of free, open source software used by thousands of websites and business applications around the globe. The affected applications and services include big names like Apple iCloud, Microsoft Minecraft, IBM, Oracle and many others. The impact was catastrophic since the use of log4j is ubiquitous in the Java world.
An analogy from the real world would be to the nuts and bolts of a car. A casual computer/internet user may not have heard of Log4j as a software, but it's used across entire business applications and public websites developed using Java language. And Java is one of the most popular computer programming languages.
What is the layman’s explanation of this vulnerability ?
The log4j security vulnerability allows attackers to execute malicious code remotely on a target computer. Meaning, bad actors (hackers) can easily steal data, install malware, or simply take control of a system via the Internet.
How big is the damage?
As per Cybersecurity firm Check Point, over 800,000 exploitation attempts were detected in the first 72 hours after log4j issue became public. Experts predict that the Log4j security vulnerability could impact the entire internet. The widespread impact of the vulnerability is so large that it may take years to fix. Why so? Simply because 95% of Java programs use log4j directly or indirectly.
The Common Vulnerability Scoring System (CVSS), a free and industry-standard way of ranking the severity of vulnerabilities, gave a score of perfect 10 on the CVSS scale ( of 1 to 10). The degree of impact has sent shockwaves beyond the IT industry. In addition to this, more related vulnerabilities are getting exposed.
How does log4j vulnerability affect a casual computer user?
All the above challenges are faced by organizations who run software applications and websites to run their business and NOT individuals. Casual computer users are not directly affected.
Hard work needs to be done by your software vendors and service providers to secure your data that they maintain.
At the same time, you should keep your applications and OS patching up-to-date.
(The author is an IT expert who works with a Technopark MNC. Views expressed are personal)