On December 9, 2021, news first emerged of a serious vulnerability with the logging library Log4j. When IT security topics make mainstream news, it’s usually because something serious is wrong. Although at the time of writing, the Log4j vulnerability issue is still relatively new, we expect the topic to become extremely relevant in the near future. Please read below for important information regarding your security while using web applications.
Important: Meister is not affected (directly or indirectly) by the Log4j vulnerability.
As there is potential for uncertainty and speculation with regard to any major security issue, it is our goal to be as transparent as possible with our users. As part of this commitment to transparency, we would like to outline our own position with regard to the vulnerability and reassure users about the safety of their data while using the Meister Suite.
In this post, we will look through the Log4j vulnerability, known as Log4Shell, by answering the following questions:
- What is Log4j?
- What is the Log4j Vulnerability?
- Is the Vulnerability being fixed?
- Is Meister Affected by the Log4j Vulnerability?
- Do I Need to Do Something with My Meister Account(s)?
What is Log4j?
Log4j is a logging library, provided by the Apache Software Foundation, that is used by almost every application written in Java. From Minecraft to the Integrated Genome Browser, millions of applications worldwide rely on the framework in order to record important information – stored in log files – that makes their services possible to use.
A log file is a file that records events that occur in a software. It could record messages, transactions, or other events. Every time you view your chat history, restore saved progress on a game, or even edit a mind map, you are benefiting from the application’s log file. However, because of the extremely widespread use of Log4j, there is the potential for major disruption if anything were to happen to the service. As such, the current vulnerability must be taken extremely seriously.
In cyber security, a vulnerability is an aspect of a software that can be exploited by attackers for malicious purposes. In most cases, cyber criminals will wish to extract money from their “work” in exploiting vulnerabilities, which is why choosing secure software is important.
What is the Log4j Vulnerability?
The Internet is On Fire
Not all security risks are the same. However, the Log4j vulnerability (Log4Shell) has been given the highest possible Common Vulnerability Scoring System (CVSS) score of 10/10. Some experts believe that we are currently witnessing the most significant online security crisis in a decade.
Essentially, the vulnerability uses Log4j’s core purpose against it. As the utility is designed specifically to log user data, attackers are simply leaving harmful code for Log4j to find and record.
In an attack, the attacker enters a malicious code into a user input field, such as a chat or search field (some of the first examples were recorded in the Minecraft chat). This is the beginning of a sequence that would allow the attacker to “take control” of the web application and perform further harmful actions on other users.
A full explanation of how an attack using the Log4j vulnerability unfolds can be found here.
Naturally, giving cyber attackers the possibility to execute code remotely on services used by millions of people worldwide is a major problem for the companies affected. As the barrier to entry for attackers is especially low, the risk of attack is correspondingly high.
Is the Vulnerability Being Fixed?
Sort of. Apache released a “patch” for the vulnerability on Friday (December 9), but it isn’t as simple as “it’s fixed now.”
This is because the patch may require special conditions for certain services, such as those that use legacy versions of Java. Due to the complexity of Log4j, there is also the possibility that patches could cause web apps to malfunction, which in turn may leave them more vulnerable or cause greater disruption.
During the waiting period, most applications will continue to run as normal, even if they are vulnerable to attack. Although security-conscious organizations (Meister included), will already have investigated the issue in detail and outlined a plan to mitigate risk, other companies may take weeks or even months to solve the issue.
According to Wired: There’s not much that average users can do, other than install updates for various online services whenever they’re available; most of the work to be done will be on the enterprise side, as companies and organizations scramble to implement fixes.
Is Meister Affected by the Log4j Vulnerability?
In short, no. As Meister does not use Java for development, our own software was not affected. We do not use Apache at all, which has also minimized our exposure to the vulnerability. However, having examined the third-party services we use, the following points of interest were noted.
- ElasticSearch: We use ElasticSearch for certain analytical purposes. Although an older version of the software was considered vulnerable, the most recent versions were not, due to the additional security mechanisms in place. We have further updated ElasticSearch anyway in order to minimize the attack surface.
- UniFi: We use UniFi products for our office. However, these have been updated already and are not considered to be at risk.
Do I Need to Do Something with My Meister Account(s)?
No. Please be assured that we rigorously and regularly check our systems, not only against the current vulnerability but against others that emerge in future. We will inform you as soon as possible if the situation changes.
Check the following list of advisories on the Log4j vulnerability to see if any services you use are affected, and whether there are any steps you need to follow.
Follow @MeisterTask, @MindMeister or @MeisterNote on Twitter to keep up to date with the latest developments.
