FUTR.tv a weekly interview podcast talking with the innovators who are building the future

View Original

Freak Out, It's Log4J!

Give your security guys a hug, a socially distanced one, because we are in the middle of a pandemic and we aren't savages. They had a very bad holiday trying to deal with the Log4J exploit that hit in December.

If you are confused as to what this is all about, stay tuned.

Hey everybody, this is Chris Brandt, welcome to another FUTRtech video podcast. On December 9th, a remote code execution bug in Apache Log4j 2 was discovered being exploited in the wild. This exploit was alarming for two reasons, it is very widely used and it is a very easy exploit to perform. Minecraft, Apple's iCloud and Amazon Web Services are just some of the major services impacted by this. Additionally, after the exploit came to light, bad actors started actively scanning the Internet for vulnerable systems.

So what is Log4J? Log4J is an open source logging utility used by Java applications. Most systems log an enormous amount of events for analysis and troubleshooting. It is responsible for writing and processing the log files. For example, say you request a page from a webserver that doesn't exist, if the server is running Java it would likely log this failed attempt through Log 4J. The part that was exploited was the Context Lookup feature, which like it says adds additional context to the logs like adding the currently logged in user.

By submitting a specially crafted request, the application would execute code to either download additional exploits or to exploit functions on the system directly. The exploit is fairly trivial to perform and because of Log4J's wide use, this became a major problem for businesses over the holidays. With already overstretched security and development resources this became a major undertaking for many people.

Fortunately there is a patch available for this. There are still some configuration details that you need to pay attention to, but getting this fixed should be a top priority for your organization.

Thanks for watching, if you like what you saw, give us a like and think about subscribing, and I will see you in the next video.

See this content in the original post

FUTRtech focuses on startups, innovation, culture and the business of emerging tech with weekly video podcasts where Chris Brandt and Sandesh Patel talk with Industry leaders and deep thinkers.

Occasionally I share links to products I use, as an Amazon Associate I earn from qualifying purchases on Amazon.