The Log4j vulnerability has turned out to be a threat to cybersecurity. It has impacted several renowned services including Amazon, Apple iCloud, Cloudflare, Minecraft, Twitter, and several other enterprise products. It was discovered by researchers at Lunasec in Microsoft’s Minecraft, for the first time. Log4j is also known as Log4Shell.
Cybersecurity researchers have alerted, these enterprise products are exposed to ‘Zero-day exploit’. Zero-day exploit is a cyber-attack. It is mysterious to antivirus and software companies. The US government’s cybersecurity agency has also warned about the hackers that can have unauthorized access to PCs using Log4j software.
Zero-day exploit is found in log4j2- a widely used Java logging system.
What can the Log4j vulnerability do?
The hackers using Log4j vulnerability, can execute ‘arbitrary code’ and have access to our computer systems. The hackers will then be able to have a full control of a server.
According to technical explanation, an attacker who is aware of how to control log messages or its parameters can easily execute arbitrary code loaded from LDAP servers. It can happen when message lookup substitution is enabled.
Several reports affirm, the users with Log4j 2.15.0 and above are not at risk. This is due to the fact that Log4j 2.15.0 has ‘behaviour’ disabled by default.
Who does Log4j impacts?
Cybersecurity LunaSec says different services like gaming service steam, Twitter, Microsoft’s Minecraft, WebEx, Google, Amazon etc. are impacted or likely to get impacted with Log4j.
Minecraft recently issued a statement and came up with a way for users on how to update the game to escape the issue.
Alike Minecraft, Paper an open-source project has is also figuring out the ways to fix this problem.
What Minecraft said over the issue?
Minecraft said in a statement that the Minecraft Java Edition is highly impacted. Java Edition poses risk of the PC to get exposed to the issue. For Minecraft players, the Java Edition grants cross play between Windows, macOS, and Linux.
The statement adds that the exploit has been “addressed with all versions of the game client patched”. Still users will have to take additional precautions to secure their servers as well as their game.
Users who do not host Minecraft Java Edition on their respective servers, will have to close the Minecraft launcher. Along with this, they are also required to close all running instances of the game. After doing so, the users will have to restart the launchers. This will automatically download the ‘patched version’.
The users on modified clients and third-party launchers, will not be able to download it automatically. Hence Minecraft recommends following the advice of third-party provider.
“If the third-party provider has not patched the vulnerability, or has not stated it is safe to play, you should assume the vulnerability is not fixed and you are at risk by playing,” the Minecraft’s statement.