Security flaw in widely-used logging system impacts Minecraft, iCloud, more

Minecraft issued an update to protect against the vulnerability

A massive security vulnerability dubbed ‘Log4Shell’ that potentially impacts millions of devices has security teams scrambling to apply patches.

The vulnerability affects an open-source logging library called ‘log4j’ used by apps and services across the internet, according to The Verge. Logging, for those not familiar, is a common process where apps keep a running list of activities they perform that can be reviewed later in case of an error. Nearly every network security system runs some kind of logging process — that gives libraries like log4j significant reach and, by extension, huge impact when there’s a vulnerability like this.

The log4j flaw could allow remote code execution on vulnerable servers if exploited. That could give attackers the ability to import malware that would compromise machines.

Worse, the vulnerability is fairly easy to exploit. Attackers need to make an application save a special string of characters in the log — since apps often log a range of events, covering everything from chat messages to system errors — it’s not hard to inject the string.

For example, the exploit was first spotted on sites hosting Minecraft servers. Those sites discovered that attackers could trigger Log4Shell by posting chat messages. A new version of Minecraft that rolled out Friday includes a patch for the vulnerability.

However, Minecraft is far from the only impacted service. A blog post from security company LunaSec claims that Valve’s popular PC gaming platform Steam and Apple’s iCloud are both vulnerable to Log4Shell. Other vulnerable platforms will likely be discovered in the coming weeks.

The Verge reports that an update released for the log4j library mitigates the vulnerability. However, considering the sheer number of impacted apps and services, and the time it’ll take to update everything, Log4Shell will remain a significant problem.

Source: Ars Technica, The Verge