CNET logo Why You Can Trust CNET

Our expert, award-winning staff selects the products we cover and rigorously researches and tests our top picks. If you buy through our links, we may get a commission. Reviews ethics statement

Log4j software bug: What you need to know

Casual computer users have probably never heard of this logging software, but it's used across the entire internet.

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, two star marathoner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise Cybersecurity, Digital Privacy, IoT, Consumer Tech, Running and Fitness Tech, Smartphones, Wearables
Bree Fowler
5 min read
Getty Images

With Christmas just days away, federal officials are warning those who protect the country's infrastructure to guard against possible cyberattacks over the holidays, following the discovery of a major security flaw in widely used logging software.

Top officials from the Cybersecurity and Infrastructure Security Agency held a call Monday with nearly 5,000 people representing key public and private infrastructure entities. The warning itself isn't uncommon. The agency typically issues these kinds of advisories ahead of holidays and long weekends when IT security staffing is typically low.

But the discovery of the Log4j bug a little more than a week ago boosts the significance. CISA also issued an emergency directive on Friday that ordered federal civilian executive branch agencies to check whether software that accepts "data input from the internet" is affected by the vulnerability. The agencies are instructed to patch or remove affected software by 5 p.m. ET on Dec. 23 and report the steps taken by Dec. 28.

The bug in the Java-logging library Apache Log4j poses risks for huge swathes of the internet. The vulnerability in the widely used software could be used by cyberattackers to take over computer servers, potentially putting everything from consumer electronics to government and corporate systems at risk of a cyberattack.

One of the first known attacks using the vulnerability involved the computer game Minecraft. Attackers were able to take over one of the world-building game's servers before Microsoft , which owns Minecraft, patched the problem. The bug is a so-called zero-day vulnerability. Security professionals hadn't created a patch for it before it became known and potentially exploitable. 

Experts warn that the vulnerability is being actively exploited. Cybersecurity firm Check Point said Friday that it had detected more than 3.8 million attempts to exploit the bug in the days since it became public, with about 46% of those coming from known malicious groups.

"It is clearly one of the most serious vulnerabilities on the internet in recent years," the company said in a report. "The potential for damage is incalculable."

The news also prompted warnings from federal officials who urged those affected to immediately patch their systems or otherwise fix the flaws.

"To be clear, this vulnerability poses a severe risk," CISA Director Jen Easterly said in a statement. She noted the flaw presents an "urgent challenge" to security professionals, given Apache Log4j's wide usage.

Here's what else you need to know about the Log4j vulnerability.

Who is affected?

The flaw is potentially disastrous because of the widespread use of the Log4j logging library in all kinds of enterprise and open-source software, said Jon Clay, vice president of threat intelligence at Trend Micro.

The logging library is popular, in part, because it's free to use. That price tag comes with a trade-off: Just a handful of people maintain it. Paid products, by contrast, usually have large software development and security teams behind them.

Meanwhile, it's up to the affected companies to patch their software before something bad happens.

"That could take hours, days or even months depending on the organization," Clay said.

Within a few days of the bug becoming public, companies including IBM, Oracle, AWS and Microsoft had all issued advisories alerting their customers to Log4j, outlining their progress on patches and urging them to install related security updates as soon as possible.

Generally speaking, any consumer device that uses a web server could be running Apache, said Nadir Izrael, chief technology officer and co-founder of the IoT security company Armis. He added that Apache is widely used in devices like smart TVs , DVR systems and security cameras .

"Think about how many of these devices are sitting in loading docks or warehouses, unconnected to the internet, and unable to receive security updates," Izrael said. "The day they're unboxed and connected, they're immediately vulnerable to attack."

Consumers can't do much more than update their devices, software and apps when prompted. But, Izrael notes, there's also a large number of older internet-connected devices out there that just aren't receiving updates anymore, which means they'll be left unprotected.

Why is this a big deal?

If exploited, the vulnerability could allow an attacker to take control of Java-based web servers and launch remote-code execution attacks, which could give them control of the computer servers. That could open up a host of security compromising possibilities.

Microsoft said that it had found evidence of the flaw being used by tracked groups based in China, Iran, North Korea and Turkey. Those include an Iran-based ransomware group, as well as other groups known for selling access to systems for the purpose of ransomware attacks. Those activities could lead to an increase in ransomware attacks down the road, Microsoft said.

Bitdefender also reported that it detected attacks carrying a ransomware family known as Khonsari against Windows systems.

Most of the activity detected by the CISA has so far been "low level" and focused on activities like cryptomining, CISA Executive Assistant Director Eric Goldstein said on a call with reporters. He added that no federal agency has been compromised as a result of the flaw and that the government isn't yet able to attribute any of the activity to any specific group.

Cybersecurity firm Sophos also reported evidence of the vulnerability being used for crypto mining operations, while Swiss officials said there's evidence the flaw is being used to deploy botnets often used in both DDoS attacks and cryptomining.  

Cryptomining attacks, sometimes known as cryptojacking, allow hackers to take over a target computer with malware to mine for bitcoin or other cryptocurrencies. DDoS, or distributed denial of service, attacks involve taking control of a computer to flood a website with fake visits, overwhelming the site and knocking it offline.

Izrael also worries about the potential impact on companies with work-from-home employees. Often the line blurs between work and personal devices, which could put company data at risk if a worker's personal device is compromised, he said.

What's the fallout going to be?

It's too soon to tell. 

Check Point noted that the news comes just ahead of the height of the holiday season when IT desks are often running on skeleton crews and might not have the resources to respond to a serious cyberattack.

The US government has already warned companies to be on high alert for ransomware and cyberattacks over the holidays, noting that cybercriminals don't take time off and often see the festive season as a desirable time to strike.

Though Clay said some people are already starting to refer to Log4j as the "worst hack in history," he thinks that'll depend on how fast companies roll out patches and squash potential problems.

Given the cataclysmic effect the flaw is having on so many software products right now, he says companies might want to think twice about using free software in their products.

"There's no question that we're going to see more bugs like this in the future," he said.

CNET's Andrew Morse contributed to this report.