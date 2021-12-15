A security hole in the Log4j software library revealed last Thursday (9) is making experts worried. This is because the tool is used by several companies around the world and the vulnerability can give access to critical parts of the applications.

At first, there is no relationship between this vulnerability and the attacks suffered by government agencies last Friday (10).

Log4j is an Apache library that helps developers do what is called “logging”, a process that allows you to keep records of interactions, sending information, processing data and the results of a given action.

“Logging” allows you to keep this log to analyze the behavior of an application or to keep track of changes made during program development.

Log4j has a number of features for this purpose and is used in Java applications, very popular around the world.

The flaw in Log4j allows a hacker to enter active code into the registration process. This code then tells the server that stores the software to execute a command the hacker wants, which can vary depending on the attacker’s intentions.

Cloudflare, an internet service provider, exemplified the failure with an invoice system. An application can log a log when a customer’s first name is not found.

Knowing this, a hacker could make a request with a first name that has the code that activates the vulnerability and, through a database, execute a command that would give access to the company’s systems.

THE vulnerability is critical, which means that the failure could give the hacker control of a machine or a server.

The problem was first publicly revealed by a security researcher working at the Chinese e-commerce and technology company Alibaba Group, according to a statement by Apache, the nonprofit organization that maintains the Log4j library.

“The Apache Log4j remote code execution vulnerability is the biggest and most critical in the last decade,” Amit Yoran, chief executive of Tenable, a computer network security company and founder of the Emergency Preparedness Team, told Reuters United States of Computers.

The US government on Friday sent a warning to the private sector about the failure and the risk it poses, according to the Reuters news agency.

Juan Andres Guerrero-Saade, cybersecurity researcher at SentinelOne, called the problem “one of those nightmarish vulnerabilities that you have virtually no way to prepare for.”

Despite the fanfare, so far, no major incidents were publicly reported as a result of the vulnerability..

A fix for the vulnerability was released last Friday (10th) by Apache, but security experts say it will take time to find the faulty program and implement the fixes, as the fix is ​​not applied automatically.