Log4j security Issues have come up and then been (ab)used a lot since October 2021 due to defects in its design that affect a lot of other products￼
It is a 20-year-old open source project￼ Meaning that it is essentially a free software￼ Library that may be used inside any number of a very large number of other pieces of software out there
Its purpose is to create a log file reporting what the main software is doing￼￼.
There is a small chance you may be aware that your piece of software uses this.
There’s a bigger chance you use some software that has got this embedded in it￼￼ That will cause your security problems- And you may not even be aware of it.
The game software “Minecraft” is the most prominent example, but exists elsewhere.
The probability exists that in fact problems will arise from websites and web hosts who are more likely to use this software meaning that they could be issues securely accessing certain websites,
I will add more items here as I learn about it￼
By that I mean, you cannot be sure that Facebook, Twitter, your bank, PayPal etc. don’t in some form use this in their infrastructure – being 20 years old, quite often software infrastructure is incompletely documented and it’s not realized this is being used￼
Companies do have to be motivated to go look for it, and in the worst case they wait for something to fail then run 🏃♀️ and jump on it – the problem is, nothing may go wrong but it could be used as a way to steal passwords & credentials￼
If you were someone that is abusing the service in order to steal passwords and credentials, it behooves you to not damage the website so that nobody would notice… Just remember that.￼
More as we learn of it