‘Extremely bad’ vulnerability found in widely used logging system

Security teams at companies large and small are scrambling to patch a previously unknown vulnerability called Log4Shell, which has the potential to let hackers compromise millions of devices across the internet.

If exploited, the vulnerability allows remote code execution on vulnerable servers, giving an attacker the ability to import malware that would completely compromise machines.

The vulnerability is found in log4j, an open-source logging library used by apps and services across the internet. Logging is a process where applications keep a running list of activities they have performed which can later be reviewed in case of error. Nearly every network security system runs some kind of logging process, which gives popular libraries like log4j an enormous reach.

Marcus Hutchins, a prominent security researcher best known for halting the global WannaCry malware attack, noted online that millions of applications would be affected. “Millions of applications use Log4j for logging, and all the attacker needs to do is get the app to log a special string,” Hutchins said in a tweet.