Jump to content

Log4Shell


Recommended Posts

  • Forum Support

Internet is scrambling to fix Log4Shell, the worst hack in history

https://bgr.com/tech/internet-is-scrambling-to-fix-log4shell-the-worst-hack-in-history/

This is some kind of software hack that will affect all of us.  I don't understand it but if any gurus google Log4Shell and read up on it then maybe they can tell us laymen what we need to now and do.

  • Sad 2
  • Hmm thinking 1
Link to comment
Share on other sites

  • Forum Support
4 hours ago, Dave Hounddriver said:

Internet is scrambling to fix Log4Shell, the worst hack in history

https://bgr.com/tech/internet-is-scrambling-to-fix-log4shell-the-worst-hack-in-history/

This is some kind of software hack that will affect all of us.  I don't understand it but if any gurus google Log4Shell and read up on it then maybe they can tell us laymen what we need to now and do.

This appears to be an issue for internet servers that create a log for each user.  It appears that the servers running on the open source Apache software are the ones vulnerable.   No mention (that I could fine) of damage to users who log into those web site.   So basically nothing for users to do other than maybe to stop or limit web based gaming until notified by that site that they have installed the new security patch.  The game "Minecraft" is the one most mentioned in articles.

So those using/playing Minecraft, for example, are not affected, at least right now.  It is the Minecraft servers themselves that are vulnerable to the hack.   The logs maintained at the server level are used to records scores, levels, rewards, login date/times, etc.   The hack allows SQL and other scripts to be read and executed when the server receives a new login record.  

  • Thanks 2
Link to comment
Share on other sites

15 hours ago, Mike J said:

This appears to be an issue for internet servers that create a log for each user.  It appears that the servers running on the open source Apache software are the ones vulnerable.   No mention (that I could fine) of damage to users who log into those web site.   So basically nothing for users to do other than maybe to stop or limit web based gaming until notified by that site that they have installed the new security patch.  The game "Minecraft" is the one most mentioned in articles.

So those using/playing Minecraft, for example, are not affected, at least right now.  It is the Minecraft servers themselves that are vulnerable to the hack.   The logs maintained at the server level are used to records scores, levels, rewards, login date/times, etc.   The hack allows SQL and other scripts to be read and executed when the server receives a new login record.  

Dave & Mike J have some of the story.

The program is Log4J, which is a programming library for logging used by software developers when writing web based applications in Java (not Javascript). So it could be found in any website which uses Java to run the backend application. The Apache Software Foundation is just the open source developer community where Log4J was developed and maintained. The AFS develops hundreds of different applications and tools primarily for web based internet applications. The exploit can be used to gain unauthorized access to the server to steal data, install ransomware, etc. This exploit is very damaging because a very large percentage of enterprise level online services are built using Java. Think banks, stocks, etc. Applications built for Oracle databases use Java extensively.

The good news is that it only affects a few versions of the Log4J software, there is a new version which fixes the bug, and even if you can't immediately upgrade there is an easy fix.

  • Like 1
  • Thanks 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...