On 9 December, a new zero-day vulnerability was identified in Java, affecting a significant number of major operating systems including UniFi, Apple, Tesla, Twitter, and Minecraft among others. On the scale of vulnerability severity, this scores 10 out of 10, i.e., the worst vulnerability you can get.
What is a zero-day vulnerability?
In essence, a “zero-day” vulnerability, also referred to as a zero-day exploit, is simply a vulnerability in software that the developer has only just learned about. It is used to represent them having “zero days” to fix the problem. The vulnerability can turn into a zero-day attack if hackers specifically exploit the flaw to carry out nefarious activities within the system for personal, financial, or criminal gains. In the worst instances, hackers or criminals will identify and exploit the vulnerability in the code before the software developer is even aware of it (as happened with the Solar Winds exploit earlier this year). For a full overview of Zero Day vulnerabilities, exploits and attacks, Kaspersky provide a handy insight.
What is Java log4j?
Java log4j is a background application, distributed through Apache logging services / Apache servers. Unless you are a software developer, it is unlikely that you will be using Java log4j directly, but you are likely to be using it as part of one of your other applications. For example, it is used by UniFi for their WiFi solutions, as well as Apple, Tesla, Minecraft, and many other major applications. It’s even used in a number of password logging tools that remember your passwords for you.
Java log4j supports with the process of “logging” within software. Logging is the process of capturing data, formatting it for a specific output, then outputting that data in the right way. So, for example in simple terms, it might log email address captured through a newsletter sign-up form, format them to be logged in a database, then present them in the appropriate format such as a spreadsheet. This is an extremely simplified example, but this logging happens for all manner of complex data logging exercises, in use by thousands of pieces of software.
Java log4j is a highly configurable logging software, which has made it extremely popular.
What is the Java log4j library vulnerability?
The vulnerability within the Java log4j library allows unauthenticated remote code execution to happen, which in simple terms means that a hacker can gain full control of a server or software as they please. Basically, it leaves your business systems open to access and exploitation, in pretty much any way a hacker sees fit.
What systems are affected?
Any system, software of server that uses the Java logging library is at risk, including all Apache Log4j versions between 2.0 and 2.14.1. This includes many services and applications written in Java. It was first discovered via the popular gaming platform Minecraft, but is affecting thousands of cloud based applications and softwares too.
What do you need to do about it?
If you are a Eurolink managed customer, we have already made the necessary checks for you. As an ISP, with a centrally managed controller that isn’t public facing, we have been able to quickly check our firewall rulings and ensure that all equipment, including UniFi WiFi hardware, is running the latest software versions and is up to date with all the security patches necessary to protect you. If you would like to discuss this specifically, you can speak to our team on 01453 700 800.
If you are not a Eurolink managed customer and you manage some or all of your hardware and software yourself, then you need to identify if any of these use Java log4j, and then switch to the appropriate coding command, and / or upgrade your software to include the latest security patches.
For those using UniFi network applications including WiFi, one of the most common in SME businesses, the security patch can be found here +
If you’re not sure whether your systems will be affected, don’t know how to deploy the patches, or aren’t sure what questions you should be asking your suppliers, speak to the Eurolink team for advice on 01453 700 800.