Top Risks

Explaining the Widespread log4j Vulnerability

The log4j security vulnerability is one of the most widespread cybersecurity vulnerabilities in recent years. Here's a non-technical explanation of it.
December 12, 2021
2 min. read

You may have heard about the log4j security vulnerability — one of the most widespread cybersecurity vulnerabilities in recent years.

Here's a non-technical explanation of it:

What is it? It's a vulnerability that was discovered in a piece of free, open source software called log4j. This software is used by thousands of websites and applications, to perform mundane functions most people don't think about, such as logging information for use by that website's developers, for debugging and other purposes.

Every web application needs functionality like this, and as a result, the use of log4j is ubiquitous worldwide. Unfortunately, it turns out log4j has a previously undiscovered security vulnerability where data sent to it through that website — if it contains a special sequence of characters — results in log4j automatically fetching additional software from an external website and running it. If a cyberattacker exploits this, they can make the server that is running log4j run any software they want — including software that can completely take over that server. This is known as a Remote Code Execution (RCE) attack.

The net result is that, left unaddressed, cyberattackers right now can completely take over thousands of websites and online applications, allowing them to steal money, data, and access. The security community has been completely focused on this vulnerability for the past two days, and updating servers running log4j as quickly as possible to protect against this vulnerability.

The good news is that mitigations are relatively easy to implement. The bad news is that left unmitigated, the vulnerability is extremely easy to exploit. iCloud, Minecraft, Baidu, and many other sites have been confirmed to be vulnerable so far, and you'll likely hear more about many other sites being vulnerable in the coming days. Overall, cybersecurity companies (including F5) have released updates to help companies protect against this vulnerability, and security teams around the world are working on making those updates.

Join the Discussion
Authors & Contributors
Shuman Ghosemajumder (Author)
Global Head, Artificial Intelligence

Read More from F5 Labs

2022 Application Protection Report
Ransomware February 15, 2022
2022 Application Protection Report
report 45 min. read
Sensor Intel Series: Top CVEs in September 2022
Attack Campaign October 24, 2022
Sensor Intel Series: Top CVEs in September 2022
article 9 min. read
How to Pen Test the C-Suite for Cybersecurity Readiness
Strategies August 30, 2022
How to Pen Test the C-Suite for Cybersecurity Readiness
article 5 min. read