News

What is Log4shell vulnerability and does it affect inSided?

  • 22 December 2021
  • 2 replies
  • 105 views

Userlevel 3

InSided is not affected by the log4shell vulnerability.

 


What is the log4shell vulnerability?


One of the many advantages of using a popular programming language like Java is that you will find ready-to-use solutions for the most common programming tasks. Meaning, you don’t have to invent the wheel and program each specific task every time. Instead, you can use a wide library of well-tested software components written by other programmers. These code components are called “libraries”. Log4j is a very popular library for Java, and this library helps programmers to keep logs of everything that happens in the application. This time around the vulnerability emerged in the popular game Minecraft.



What is a vulnerability, in software? 


In cybersecurity, a vulnerability is a weakness that can be exploited by attackers (hackers) to gain unauthorized access to a computer system. After exploiting a vulnerability, a cyberattack can run malicious code, install malware and even gain access/steal sensitive data.


But how does it work? 


HTTP requests are frequently logged, and a common way of attacking a system is placing a malicious string in the HTTP request URL. To exploit the vulnerability, an attacker must cause the application to save a special string of characters in the log. Since applications routinely log a wide range of events such as messages sent and received by users, or the details of system errors, this vulnerability is unusually easy to exploit and can be triggered in a variety of ways. An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted request to a server running a vulnerable version of Log4j.



Does the log4shell vulnerability affect inSided? 

No, it does not affect the inSided applications as:

  1. We run a sweep on all systems to identify other locations where this vulnerability could be exploited, and no locations were identified. No processes or code in the inSided platform run this library. We periodically sweep our system for this and other known exploits.
  2. At inSided, no Java code is used in the platform that is publicly available on the web. Java is used only for development.
  3. For any residual risk. We set up a firewall that is managed and updated by AWS to prevent any malicious code to be run exploiting the log4shell vulnerability.

InSided application is protected against this vulnerability.

 


Additional information


https://www.ncsc.nl/actueel/advisory?id=NCSC-2021-1052
https://en.wikipedia.org/wiki/Log4Shell
https://en.wikipedia.org/wiki/Log4j


2 replies

Well explained, thanks for taking the time, Alex!

Userlevel 5
Badge +1

Best log4shell comms I’ve seen so far. 

Reply