Log4j poses some deep challenges to IT. In this article I’ll discuss some tactical measures people are already taking now and over the next week or two, and some strategic guidance for what to do after the immediate crisis abates.
Log4j is a very useful tool incorporated in much Java code. There are so many places in code where a programmer wants to take some data and put it into a log, or some other kind of repository, for later action. Log4j does this – it takes a string and copies it from one place (the userid field in a login screen, for instance) and puts it somewhere else (the input area for an authentication process, for instance). Log4j does much more than a simple CTL-C/CTL-V though. Log4j also examines the string and interprets it.
Interpretation is generally risky, because unless the program sanitizes the code, things can go quite wrong. As the brilliant XKCD comic “Exploits of a Mom” points out:
Source: Trend Micro
Related story: Are Endpoints at Risk for Log4Shell Attacks?