While you were watching the F1 title decider between Max Verstappen and Lewis Hamilton or excited for the Succession finale, companies running the internet were scared shitless.

You might not have noticed it because services like Twitter, Facebook, Gmail, and smaller ones all stayed up. But a bug in an open-source tech called Log4j was (and still is) causing panic amongst the infosec community across the world.

While the bug has affected billions of devices, and companies are scrambling to apply fixes, the open-source community has a raging debate going on about funding volunteers that maintain projects like Log4j.

Before we dive into all that, here’s a brief background about the technology and the issue.

What is Log4j?

Log4j 2 is a Java-based open-sourced logging framework that comes under the Apache Foundation services, so anyone can use it for free. The logging software is used by companies to track activity on their servers (or even client-side apps).

For instance, when you visit a website, your IP address, your browser, and the pages you visit are registered by the logger. This data related to activity can help companies solve any problem with their service.

Since the library is Java-based, there’s a chance that billions of devices supported by the framework might be at risk.

What is the Log4j bug?

The bug, listed under CVE-2021-44228 last week, allows attackers to remotely execute code through a specially crafted string. Since Log4j is so common, cybercriminals can easily manipulate log strings and control the server or the client.

One of the main reasons for this bug’s existence is that some versions of Log4j are capable of executing arbitrary text through a directory lookup protocol (LDAP protocol).

If you want to read a detailed explanation of the issue in simple language, read this Twitter thread.

A new report from Bloomberg suggests the bug was first reported to the maintainers of the Log4j project on November 24 by a security researcher working at the Alibaba team.

Who’s affected?

To be honest, I should’ve named this section “Who’s not affected?” Log4j’s open-source nature and widespread compatibility means it’s a great choice and tons of companies use it — including Apple, Microsoft, Steam, Twitter, Baidu, and Cloudflare.

As soon as the details about the vulnerability were out, several people started scanning servers to check if they were open to exploitation.

Some programmers tested various sites and services to check the potential reach of the attack; you can check out the full list here.

IP-based evidence that Twitter uses Log4j service
IP-based evidence that Twitter uses Log4j service
IP-based evidence that Twitter uses Log4j service

Importantly, as Ars Technica noted, many of these companies have several lines of defense against cyber attacks. So even if some of the servers are open to the Log4j attack, other security systems can thwart the attack.

The issue came to the fore through Minecraft sites, when researchers found out that a specific string passed to the server or even in-game chat could give attackers control of the system. Web infrastructure firm Cloudflare’s CEO, Matthew Prince, tweeted the company will roll out some protection to all customers — including the ones using the free tier.

Notably, there are several appliances that run Java server components, and Log4j could be a part of that. So your toaster could be a hacking target too (?).

Data security platform LunaSec has a lengthy technical explanation about the impact of the bug on its blog.

If you were really thinking about how widespread Log4j’s usage is, this tweet will sum it up for you.

What’s the mitigation?

Hours after the bug was discovered, the security team at the Apache Foundation released a new version (v15.0) of Log4j with patches that secure systems from attacks.

Minecraft’s owner, Mojang Studios, also published a guide for people running the official game client and game servers to fix the bug. It warned that people running third-party game clients might have to wait for the provider to patch the exploit. Plus, the Swiss government’s computer response team (CERT) has tweeted an easy-to-understand prevention guide in a picture format.

Companies like Red Hat and VMWare released their own fixes to plug the issue. For server admins, severalsecurity blogs have detailed guides for mitigations strategies. A GitHub user has made a super useful list of patches issued by companies, including Netflix, Citrix, Docker, and Oracle.

Apache has released version 2.16.0 of the Log4j framework. This update completely removes message lookups to reduce the threat. Plus, it has also disabled automatically resolving lookups contained in a message or its parameters.

It’s not over yet

While service providers and the open-source community are working round the clock to fix the issue and secure as many systems as possible. The danger is looming over our heads.

As Bleeping Computer noted in its report last night, attackers are installing cryptominers, malware, and deploying botnets for DDoS (Distributed Denial of Service) attacks. Microsoft’s threat intelligence team has noted that many attackers are using the Colbat Strike penetration detection tool for credential theft.

Sean Gallagher, a senior threat researcher at Sophos, also said that the security company has detected many attempts of remote code execution:

Since Dec.9, Sophos has detected hundreds of thousands of attempts to remotely execute code using the Log4Shell vulnerability. Initially, these were Proof-of-Concept(PoC) exploit tests by security researchers and potential attackers, among others, as well as many online scans for the vulnerability. This was quickly followed by attempts to install coin miners, including the Kinsing miner botnet.

The most recent intelligence suggests attackers are trying to exploit the vulnerability to expose the keys used by Amazon Web Service accounts.

Security researcher Greg Linares tweeted that threat actors might be building a worm to attack many servers through the Log4j bug and cause damage or demand money.

The Cybersecurity and Infrastructure Security Agency (CISA) has also issued a warning stating that the bug “is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use.” The agency suggested organizations to disable external-facing devices running Log4j and install additional firewall security with rules related to the vulnerability. 

Security researchers found out last night that the Log4J bug can affect all java versions. So even if you’re running an updated Java version, you need to patch your Log4j service.

A report from The Verge noted that researchers are getting pings from Apple and Tesla servers if they change the device name to specially crafted exploit string.

The open-source community enraged by low payment for contributors

This Log4j bug has once again established that large corporations around the globe depend on free open-source software heavily. That’s all fine and dandy, but the open-source community is now outraged by the fact about contributors not getting enough pay.

Filippo Valsorda, a cryptographer at Google, noted on his personal blog that the maintainer who fixed the Log4j bug contributed to the project part-time, and had just three GitHub Sponsors (a way for people to pay project volunteers).

He noted that contributors only get a small amount through GitHub or Patreon, while their projects might be responsible for millions of dollars of business. Plus, a bug in these important systems can break the internet, and it’s unfair to depend on people who work on these projects in their spare time without any assured rewards.

Matthew Green, a professor of cryptography at Johns Hopkins University, argued that the industry needs a list of open-source libraries and technologies with widespread reach so more people can work on projects that are important to run the internet smoothly.

Security firm Chainguard’s founder, Dan Lorenc, said that while corporations are willing to fund open-source projects, it’s hard for them to find out critical projects that need paid maintainers. He also noted that ideally, the industry should fund teams that maintain three to four projects.

Contributors cited that their pay through contributions is super low, it’s really hard to maintain expenses by just doing that. That’s a sad state of affairs.

Hopefully, this issue will finally wake up the industry to pay attention towards coming together and contribute towards open-source projects that keep the internet afloat. But perhaps they might go back to sleep if the bug doesn’t cause much damage.

I have to end this with an XKCD comic summing up the situation.