IT experts: Big concerns about Log4j vulnerability

Companies and authorities in Germany are on alert because of possible hacker attacks. At the weekend, the IT security authority, the BSI, declared a red alert because of a vulnerability in server software. She now urgently advises updates.

The alarm bells rang for the IT security experts by the weekend at the latest. The Federal Office for Information Security BSI had issued the highest warning level. According to Bonn, there is an extremely critical threat situation: a vulnerability in a Java component called Log4j.

And that is still a major concern of the experts at the start of the week, says BSI President Arne Schönbohm: “It’s about the fact that we have seen on the one hand that the product is used everywhere in all sorts of other products. It is practically a small one Part of a higher-level software product. That is one topic, so it is widely used. The second topic is that it is a weak point that is very, very easy to exploit. ” The experts still don’t even know how many applications the dangerous software module is in.

Federal administration affected in several places

Initial reviews showed that several bodies in the federal administration are affected. So far, however, there have been no indications of “successful attempts at attack on federal authorities or critical infrastructure,” said a spokesman for the Federal Ministry of the Interior in Berlin. The number of federal authorities where the vulnerability was discovered is in the single digits.

The spokesman nevertheless spoke of an “extremely critical threat situation”. “Successful compromises have already taken place” worldwide. It is now necessary to take “immediate protective measures” and to install the security updates immediately.

Consumers not yet affected

Schönbohm also reported that there are still no immediate consequences for consumers. “Cell phones and iPads have not been affected so far, that has to be said very clearly.” Rather, authorities and companies are affected and “in the end it is the consumer who uses these services”.

Race between attackers and defenders

Schönbohm underlined the urgency to act: companies and authorities should carry out updates as soon as possible. The criminals are very active. “We’re already seeing a massive scan.” There is a race between attackers and defenders.

It’s not the targeted attacks, it’s about getting in there across the board and taking advantage of that so that you can then get inside and install other back doors before this gap is closed.

The criminals could then take advantage of these back doors for a long time to come. In addition to the updates, he recommended that companies and authorities prevent certain functionalities, “which means that the possibility of attack is significantly lower”. When asked how many companies were affected, Schönbohm said: “You can’t say that yet, we are in a processing phase.”

“That can mean just about anything”

His authority is in contact with IT security authorities in other countries, such as the Netherlands, France and the USA. He confirmed that attack attempts had already taken place, but did not want to give details.

Every single piece of software in which the library is used now has to be revised as quickly as possible. Otherwise hackers would have an easy game, explains Michael Meier. He is Professor of IT Security at the University of Bonn and Head of Cyber ​​Security at the Fraunhofer Institute FKIE:

An attacker can, as it were, gain access to the system and execute programs there. Unfortunately, this can result in almost anything that can be imagined with a computer system. He can delete everything, copy everything, turn the computer off and on again – really everything that can be done with programs.

Update for Log4j

Log4j is a so-called logging library. It is there to record various events in server operation like in a log book – for example for a later evaluation of errors. The vulnerability can be activated simply by saving a certain string of characters in the log. This makes it rather easy to exploit, which is a major concern for experts.

The problem was noticed on Thursday on servers for the online game “Minecraft”. IT security firms and Java specialists worked to plug the vulnerability.

An update is now available for the affected versions of the open source Log4j library. However, its protection only takes effect when service providers install it. That’s why the firewall specialist Cloudflare built in a mechanism for its customers to block attacks.

Experts warned that it is not just online systems that are at risk. A QR scanner or a contactless door lock could also be attacked if they used Java and Log4j, emphasized Cloudflare.