How does the Log4j vulnerability affect connected devices?
- Hey Vicky! -Oh it’s you again, what do you want?
I heard about this Minecraft breach, but it doesn’t really affect connected devices, right?
It’s not a Minecraft breach, It’s called Log4 Shell
And you’re the fifth person to ask me that in the past hour, I think we should do a Story about it
So, what is Log4j?
it is a software library that is developed by the Apache foundation and is for Java applications.
It’s goal is to log different system messages, For example a user logging into your system.
A web request was received, and so on.
A critical vulnerability was found recently in this library.
In which a remote attacker, only by controlling one log message, could achieve a remote code execution on a remote device.
It’s a very severe and critical vulnerability.
Unfortunately for us, remote devices ARE influenced by this vulnerability.
Why? because many of these devices use Java as their programming language.
A lot of infotainment, medical devices and others are using Java and sometimes this library.
And therefore they are vulnerable.
So how can we mitigate this vulnerability?
So first we need to understand if the libraries are present in the device
Even if our main app doesn’t use this Log4j, It’s definitely possible that a dependency
Or a dependency of a dependency is using Log4j
And it’s also needed to understand which version, because not all versions are vulnerable to this
After we understood that we have a vulnerable version, we need to either config or patch
Luckily for us, there is a simple configuration that could be added to the firmware
Which will protect the Java application, or better, to upgrade to the newest version
Thanks
