A new vulnerability in a widely used piece of software has been described as “a design failure of catastrophic proportions”, and could pose “a severe risk” across the internet.
The CVE-2021-44228 exploit - nicknamed, ‘Log4shell’ - was first discovered in Apache’s Log4j software, a tool which allows developers to log data and keep track of changes in applications.
Despite the wide-ranging potential consequences of such a widespread software vulnerability, Log4shell could otherwise have gone unnoticed by the average tech user.
However, it was first identified on websites catering to the popular video game Minecraft, where the exploit was believed to have first been detected.
This led to concern from parents worried about their children’s online safety. And now, a second, similar exploit has been uncovered.
Here is everything you need to know about it.
How does the exploit work?
The details of the exploit are complicated.
Essentially, the vulnerability can allow hackers to control Java-based web servers and enable them to execute remote code execution attacks, which they may use to take control of the affected systems.
In a detailed breakdown of Log4shell, Microsoft - who own Minecraft - said once hackers gain access and control of an application, they can perform all sorts of nefarious tasks, such as installing crypto coin miners, and credential and data theft.
Since Java is so ubiquitously used across the internet on a wide number of servers and applications, a great swathe of common services are potentially affected by Log4shell.
Some of the biggest names to have been confirmed to be affected by the exploit include Amazon Web Services, Google, IBM, iCloud, Minecraft, and PC game client, Steam.
Even government agencies such as the Cybersecurity and Infrastructure Security Agency (CISA) in the US have found that some of their services were vulnerable.
How damaging could it be?
“Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information, “ the CISA noted in a statement.
“An unauthenticated remote actor could exploit this vulnerability to take control of an affected system.”
CISA director Jen Easterly said the vulnerability was already being “widely exploited”, and that Log4shell “poses a severe risk.”
In the UK, the National Cyber Security Centre has advised all organisations to install the latest Log4j updates wherever it is known to be used.
What can I do to keep my devices secure?
Since the exploit lies deep within the code of many applications, there is not much the average user can do.
However, don’t panic. Fixes for the Log4shell vulnerability were released on 6 December, three days before the exploit was made public online.
It is then up to developers to implement these updates into their software and services, before rolling them out to users.
Therefore, it’s important that you keep your software and devices as up to date as possible, installing any optional updates and patches you are presented with.
Developers seem to be moving fairly swiftly on the issue too. For instance, Microsoft has said the exploit has been “addressed with all versions of the game client [Minecraft] patched”.
They - like many other tech companies - advise users to take additional steps, such as looking out for new software updates to secure the game.
How do I update Minecraft Java?
Seeing as it’s one of the most widely used services affected by the vulnerability, and has a younger audience seen over by concerned parents, here’s how you can make sure your child is playing the latest, most secure version of Minecraft Java.
Start by opening the Minecraft launcher. If you don’t have the launcher you can download it here.
The launcher should automatically show you the latest release. If not, press the arrow to the right of the play button and select “Latest Release”.
For those playing the ‘standard’ edition of the game on PC, Minecraft for Windows should update to the latest version automatically.
If not, open the Microsoft Store, select the three dots in the top right corner and choose “Downloads and updates”. From here, select “Get updates” and all your installed applications should update - including Minecraft.
For more information, including how to update the game on other platforms, head to the official Minecraft website.
A message from the editor:
Thank you for reading. NationalWorld is a new national news brand, produced by a team of journalists, editors, video producers and designers who live and work across the UK. Find out more about who’s who in the team, and our editorial values. We want to start a community among our readers, so please follow us on Facebook, Twitter and Instagram, and keep the conversation going. You can also sign up to our newsletters and get a curated selection of our best reads to your inbox every day.