There is a loophole in Java software that threatens billions of devices around the world. Companies such as Apple and Tesla are affected. But critical infrastructure in Switzerland is also at risk.
Experts warn of the Log4shell vulnerability.
It threatens large parts of the Internet.
Critical infrastructure is also at risk, including in Switzerland.
That's what it's about
There is a huge gap in the global IT infrastructure.
IT expert Marc Ruef from Scip AG explains this Extent.
The Log4shell vulnerability affects billions of devices.
In addition to companies, we as private individuals are also at risk.
What is Log4shell?
Marc Ruef: It is a vulnerability in a well-known module called Log4j. This is used for logging data. A logging module should take notes. That sounds simple – actually it is. Conceptually, however, the mistake was made that the character strings to be logged can be interpreted and enriched. This introduced complexity makes it possible that own commands can be executed by sending requests.
How dangerous is the gap?
Various sources assume that up to three billion systems could be affected. This makes this vulnerability the greatest since the beginning of the Internet era. In addition, the affected components are exposed, the attack can be exploited relatively easily and it is difficult to fend off by taking measures.
Who is affected?.
>Everyone who uses Apache Log4j. Practically every medium and large company will probably use at least one product that is based on it. Large providers such as Apple, Amazon, Google and Tesla
were also affected. Service providers in the electricity, water and transport sectors will be equally affected.
Why are so many affected?
Modern IT is unfortunately a patchwork of different products, which leads to more fragility. What we are observing here is the new normal. As long as there is no rethinking in IT, we will see this effect more and more in the future. A trend that absolutely must be combated.
How high is the danger situation in Switzerland?
This is difficult to assess. After reports of the first systematic attack attempts became known, one must assume that criminals want to make a profit from the problem. It is foreseeable that the first specific reports on compromises, ransomware attacks and data leaks will be making the rounds in the coming days.
Warning from the federal government
The National Center for Cybersecurity (NCSC) started on Saturday to inform potentially vulnerable organizations in Switzerland. Such notifications have also been sent to several operators of critical infrastructures. The NCSC has not yet received any reports of successful attacks in Switzerland in which the mentioned vulnerability was exploited.
However, there is no general obligation to report cyber incidents in this country. Since the vulnerability became known, all possible precautions have been taken in the federal administration to protect the infrastructure as best as possible, it is said on request. Since the gap became known, the NCSC has been in constant contact with national and international partners on this topic.
How difficult is it to exploit the gap? Basically, this is a very simple attack. As is so often the case, however, the devil lies in the details: In order to be able to implement a smooth attack in an individual target environment, a great deal of technical understanding is required. That can't be achieved quickly.
How immediate is the threat to me?
The vulnerability primarily affects IT infrastructure operators. End users do not actually use the software component concerned. However, you can still be indirectly affected by successful attacks, for example if your user data is suddenly destroyed or sold. We anticipate that based on this vulnerability, more user data will be available for sale in the Darknet in the coming weeks.
How can the problem be resolved?
Basically, an updated version of the affected component should be imported. This sounds easy, but in reality it isn't always: Often you don't even know where this is used. Or it is not clear whether these can be easily updated without compromising dependencies. In the medium term, one has to discuss whether Log4j has simply missed its goal and has lost its raison d'etre for the time being due to the complexity in terms of security.
My 20 Minuten
As a member, you become part of the 20-Minuten community and benefit from great things every day Benefits and exclusive competitions!