Log4Shell vulnerability: what is the problem, and what are the solutions?
On Friday, December 10, 2021, computer researchers publicly alerted the world to the discovery of a potentially severe vulnerability. This flaw affects Apache Log4j, a widely used Java library across global computer systems. Here’s a closer look at this crisis, which has mobilized IT teams worldwide, including Tink’s.
The Log4Shell Vulnerability
The global response to this vulnerability is due to the fact that it involves previously undocumented vulnerabilities, with no existing patches available at the time of its discovery. The risk? A hacker could infiltrate affected systems by executing remote code without authentication, gaining access to servers that would typically be inaccessible from outside. Data theft, system paralysis, website or application shutdown—the risks are real, serious, and numerous.
A Worldwide Threat
The list of instances affected by this vulnerability is staggering due to Java’s popularity in IT systems. Minecraft, Apple, Netflix, Amazon, Cisco, Microsoft, Steam, GitHub, some Google services, and IBM software, to name a few, are exposed to this flaw. In Quebec, the government acted swiftly: 3,992 sites and services were shut down to scan all tools and assess the threat's scope, applying patches where necessary. Many Quebec companies are also affected.
The Solutions
The plan to address this vulnerability is simple on paper but monumental in practice:
- Analyze systems to identify those affected by the vulnerability;
- Find the correct patch to solve the issue.
Éric Caire, Quebec’s Minister for Digital Transformation, summarized the complexity of identifying affected systems:
"We’re somewhat searching for a needle in a haystack, to be honest! Excuse the expression, but we need to scan all our systems because we don’t have an inventory. It’s like asking how many rooms in all Quebec government buildings use 60-watt lightbulbs. I don’t know. So, we’re going room by room, lightbulb by lightbulb, to see if it’s a 60-watt. It’s painstaking work.”
Éric Caire, Minister for Digital Transformation (Photo: Graham Hughes, Canadian Press Archives)
The Apache Software Foundation teams quickly developed an emergency patch to address the vulnerability in the latest versions. However, it’s not a silver bullet, as the list of affected software is extensive. The challenge lies in Java’s popularity and the sheer number of services and sub-services using Log4j. It can also be challenging to determine the exact vulnerability in certain software.
Tink Teams on Alert
Following the initial reports of the Log4Shell vulnerability, Tink’s teams immediately mobilized to ensure our clients' systems were secure. Over the weekend, we analyzed potentially sensitive tools and, in the few cases where there was a risk, worked directly with internal teams to correct the flaw.
Our clients’ security is a top priority for Tink, and our support teams are available around the clock to ensure the optimal functioning of the systems we develop. A crisis like Log4Shell is a prime example of when our experts support our partners in finding and implementing the best possible solution.
