DENVER — The Biden administration is warning of a “severe risk” from a software vulnerability known as the log4shell bug.
The bug impacts the logging framework for Java, log4j, which is run on millions of servers around the world. Logging is the continuous saving of information in an operating system.
MSU Denver computer science professor and cybersecurity expert Dr. Steve Beaty said the bug is sort of like a phishing style attack,
“Log4J often times will accept messages from many different places, and this is, if you will, kind of a phish for a server instead of for a human,” Beaty said.
He said the vulnerability is not new, but a newer version of Log4j recently brought it to light. Hackers have launched tens of thousands of attacks since last week as they try to exploit this bug.
Some companies and governments have shut down websites temporarily while they investigate their exposure. In Colorado, the JeffCo Public School District postponed online enrollment for the 2022-2023 school year because of the problem. The district announced Thursday it would open enrollment Jan. 10 as a result.
But it’s possible that some companies aren’t even aware if their systems run Log4j. In the meantime, hackers may have installed malware, accessed system credentials and stolen sensitive data.
“I think 100% we can expect as time goes by, to find more and more about the damage that log4shell has done,” Beaty said.
Beaty said because Log4java is free, open source software, the fix is being handled mostly by a handful of volunteers.
“I think we as an industry could do better in supporting free and open source software," he said. "All the web servers that we interact with all of the time are running Linux and Apache and Log4j, which is all free and open source software."