Vulnerability in LOG4J

What is LOG4J?

The Logging Utility for Java, or LOG4J, is a recording function that is vital in many of the operating systems and applications we have. Simply put, LOG4J logs error messages within the system and communicates this information to the administrator or software user.

LOG4J is a Java software library developed by the Apache Software Foundation. The software was originally written by Ceki Gülcü.

LOG4J is open-source software, which means anyone can use the software, or make changes to the software. 

Due to the practicality of this library, LOG4J is very widespread. Popular companies that use LOG4J include iCloud, Steam, Minecraft, Microsoft, Fortinet, IBM, and more.

Have you ever clicked a link and received a “404 Page Not Found” error message? Well, LOG4J tracks this event and reports back all the data associated with it. This is where vulnerability starts rearing its ugly head, which we’ll get to in a moment.

Other than the amazing ability to record these events, LOG4J also allows an organization to categorize these records, send different logs to different output devices, and allow custom output of log data.

What is the LOG4J Vulnerability and How Does Log4Shell Work?

Remember that ugly head of vulnerability we just spoke about? It’s time you saw its face.

Log4Shell is the name we’ve given to the LOG4J vulnerability. Log4Shell exploits one of LOG4J’s logging system’s own functions for malicious intent.

Just as easily as JOG4J records where and which errors occurred, it can also record the user information from whoever created or happened upon the error. Now, are you starting to see the problem with this system?

Log4Shell was reported to Apache on November 24th, 2021. Apache released a tweet on December 9th, 2021, informing users of this new vulnerability.

Many popular organizations use this software, so they were immediately affected by this vulnerability.

Organizations such as Twitter, iCloud, Cloudflare, Steam, Minecraft: Java Edition, and Tencent QQ have had to deal with the Log4Shell vulnerability.

Log4Shell works by collecting personal data through the recording of error events. When these events are recorded, the username and even the real name of a client can be retrieved. This allows a hacker a free ride directly into any device that records an error.

Not only can they take whatever information they want from an organization, but they can also start causing digital chaos. They can delete information, destroy applications, allow viruses through, and overload the system through directed DoS attacks.

What Damage Can Be Done?

One of the most recent applications of the vulnerability includes easy and illegal crypto mining. As error messages are logged during bitcoin mining, hackers can use the information from the logs to enter the mine and ‘steal’ bitcoins that haven’t been mined yet.

Even further than that, they can track down client information and find those with higher Bitcoin balances. Then they can proceed to transfer funds out of these accounts and into the hacker’s accounts.

At this point, the vulnerability can extend to complete identity and credential theft. Utilizing backend error records that aren’t directly used by the organization itself. Hackers can steal all the client information and get none of the blame.

The consequences of this are detrimental to the organization. They may be able to explain why the attack and theft happened, but what will their clients do?

If I was in the client’s situation, I would most certainly hesitate before using that organization’s product or service again – unless I’m sure that my information is safe and won’t be exploited again.

That’s a big promise to live up to, so most organizations won’t be able to guarantee a safe experience unless they’ve subdued the risk.

Naturally, the next big question is what has been done to fix this issue?


Firstly, more organizations must identify the vulnerability within their systems. As LOG4J is such a fundamental component, many organizations might not realize that they have the software library. 

Consequently, they don’t realize how they’re perpetuating this vulnerability. Attacks on their servers allow the vulnerability to ‘mutate’ and ‘evolve’ over time, giving hackers more insight into committing cybercrimes.

Next, it should be said that there isn’t only one fix for this problem. A solution depends on how the software library has been implemented in a system, and how the vulnerability manifests. 

Nevertheless, LOG4J has tried to fix this problem by themselves. LOG4J has released fixed versions of their software. We recommend using Log4J version 2.15.0 or higher.

If an organization can’t upgrade its LOG4J library, the next best solution is to remove any instances of Context Lookups within the logs.

Another option is using an online service that scans the system or software for any vulnerabilities.

Share This Post

Share on facebook
Share on linkedin
Share on twitter
Share on email

Contact us today for a free consultation. 

Enter your message below and we’ll reach out to you shortly.

Skip to content