- Thousands of online servers and services are still exposed to the dangerous, and easily exploitable loj4j vulnerability, find researchers.
- While the primary threats are the servers themselves, exposed servers can also put end-users at risk, suggest cybersecurity experts.
- Unfortunately, there’s little most users can do to fix the problem besides following the best desktop security practices.
The dangerous log4J vulnerability refuses to die, even months after a fix for the easily exploitable bug was made available.
Cybersecurity researchers at Rezilion recently discovered over 90,000 vulnerable internet-facing applications, including over 68,000 potentially vulnerable Minecraft servers whose admins haven’t yet applied the security patches, exposing them and their users to cyberattacks. And there’s little you can do about it.
“Unfortunately, log4j will haunt us internet users for quite a while,” Harman Singh, Director at cybersecurity service provider Cyphere, told Lifewire over email. “As this issue is exploited from server-side, [people] can’t do much to avoid the impact of a server compromise.”
The vulnerability, dubbed Log4 Shell, was first detailed in December 2021. In a phone briefing back then, director of US cybersecurity and infrastructure security agency (CISA), Jen Easterly, described the vulnerability as “one of the most serious that I’ve seen in my entire career, if not the most serious.”
In an email exchange with Lifewire, Pete Hay, Instructional Lead at cybersecurity testing and training company SimSpace, said the scope of the problem can be gauged from the compilation of vulnerable services and applications from popular vendors such as Apple, Steam, Twitter, Amazon, LinkedIn, Tesla, and dozens of others. Unsurprisingly, the cybersecurity community responded with full force, with Apache putting out a patch almost immediately.
Sharing their findings, Rezilion researchers hoped that a majority of, if not all, vulnerable servers would have been patched, given the massive amount of media coverage around the bug. "We were wrong," write the surprised researchers. "Unfortunately, things are far from ideal, and many applications vulnerable to Log4 Shell still exist in the wild."
The researchers found the vulnerable instances using the Shodan Internet of Things (IoT) search engine and believe the results are just the tip of the iceberg. The actual vulnerable attack surface is a lot larger.
Are You at Risk?
Despite the rather significant exposed attack surface, Hay believed there’s some good news for the average home user. "The majority of these [Log4J] vulnerabilities exist on application servers and are therefore very unlikely to impact your home computer," said Hay.
However, Jack Marsal, Senior Director, Product Marketing with cybersecurity vendor WhiteSource, pointed out that people interact with applications across the internet all the time, from online shopping to playing online games, exposing them to secondary attacks. A compromised server can potentially reveal all the information the service provider holds about their user.
"There is no way that an individual can be sure that the application servers they interact with are not vulnerable to attack," warned Marsal. "The visibility simply does not exist."
Unfortunately, things are far from ideal, and many applications vulnerable to Log4 Shell still exist in the wild.
On a positive note, Singh pointed out that some vendors have made it fairly simple for home users to address the vulnerability. For instance, pointing to the official Minecraft notice, he said that people who play the Java edition of the game need simply close all running instances of the game and restart the Minecraft launcher, which will download the patched version automatically.
The process is a little more complicated and involved if you aren’t sure what Java applications you’re running on your computer. Hay suggested looking for files with .jar, .ear, or .war extensions. However, he added the mere presence of these files isn’t enough to determine if they are exposed to the log4j vulnerability.
He suggested people use the scripts put out by Carnegie Mellon University (CMU) Software Engineering Institute (SEI) Computer Emergency Readiness Team (CERT) to trawl their computers for the vulnerability. However, the scripts aren’t graphical, and using them requires getting down to the command line.
All things considered, Marsal believed that in today’s connected world, it’s up to everyone to apply their best effort at remaining secure. Singh agreed and advised people to follow basic desktop security practices to stay on top of any malicious activity perpetuated by exploiting the vulnerability.
"[People] can make sure their systems and devices are updated and endpoint protections are in place," suggested Singh. "This would help them with any fraud alerts and prevention against any fallouts from wild exploitations."