Log4Shell Critical Zero-Day Vulnerability In Java- Why You Should Care

 “Log4Shell” in Java 

What is Java?

Java is a type of programming language as well as a computing platform. Released by Sun Microsystems in 1995,Java is now used by billions of machines worldwide. 

Now run by Oracle (a database management software), Java is considered the #1 development platform out right now. In fact, NASA uses Java in their World Wind geographical mapping project, Android OS originates from the Java Virtual Machine, and Netflix uses Java for the back-end of most of their applications. Spotify, LinkedIn, and Uber also use Java in some way on their platforms. 

As you've probably gathered, there are a lot of big players in the Java family. The fact of the matter is, that if you don’t have Java installed, some websites and applications simply will not function.

How do I tell if I have it installed?

There are several ways to find out if you have Java installed, however in this article, we’ll only be going over the easiest and quickest steps to do so. 

Please note- this only applies to machines running Windows operating systems.

1. Start by pressing the Windows key and the R Key at the same time. A “run” window will appear. 
2. In the field provided in the Run window, type “cmd” and click “OK” or press enter. This should trigger a black terminal window, otherwise known as a command prompt to appear.

In the command prompt, type in “java-version”. If the window responds by displaying text letting you know which java versions you have installed, you have it. If nothing displays- you guessed right- you don’t have it on your computer. 

Why is it critical to keep it up-to-date?

If you’ve ever had Java installed on your computer, you know that every now and then, it will pester you and prompt you to complete an update. New versions come out fairly often as the Java development team at Oracle are almost constantly looking for vulnerabilities, bugs, and ways to make it run more efficiently.

It may seem like an inconvenience to have to update every time a reminder appears, but these updates usually take very little time and they really do protect your computer. A lot of updates also provide a better user experience. However, as a majority of them contain smaller “patches” you may not notice a drastic change between updates unless updating between major version numbers such as from Java 7 to 8.

At the time of this writing, Java 17 is the latest version available. Java usually recommends downloading the most recent version, however, there are a few instances where this is might not be the best plan of action for you. One such instance would be if you are using applications that do not frequently update their code to align with the requirements of the latest versions of Java. Simply put, if this is the case for the applications you use, you must use an older Java version. If you find yourself in this predicament, we strongly suggest that you use the latest ‘recommended’ version of the older Java that your application can handle (so you’re as secure as you can be).

What is a critical zero-day vulnerability? 

The term “critical zero-day vulnerability” refers to a very serious vulnerability that has existed in any operating system, application or program’s code since its creation- hence the name “zero-day” (aka day zero). Sometimes, the vulnerability is not known about until malicious users exploit it and sometimes (in rarer cases) the vulnerability is recognized by someone who does nothing but fails to report it. 

What is a logging tool?

A logging tool records things that happen while the software or application is running, notating every action that the software makes. The logging tool makes a readable text file that you can use to diagnose problems if things go wrong. 

What is Log4Shell and what can I do to protect myself?

On Thursday, December 9th, 2021 a major zero-day vulnerability called “log4shell” surfaced. This vulnerability was identified in a logging tool (available from Apache) called “Log4J” (which just so happened to be in Java versions 6,7,8, and 11). The vulnerability was given a 10 out of 10 severity rating when it was discovered that it would allow cyber criminals to remotely execute code on computers and servers running “Log4J”. 

This vulnerability could also be exploited to allow malicious users to inject malware such as network snoopers, memory scrapers, data stealers, crypto-miners, ransomware, and in the worst case scenario, completely take over your system.

Luckily, Java quickly responded by releasing some updates that patch the vulnerabilities. Additionally, according to Oracle, any versions greater than 6u211, 7u201, 8u191, 11.0.1 should not be affected by the attacks. Therefore, if you check your Java version and are running a version greater than 11 (or a version that is greater than any of the above listed versions), you should be protected against the zero-day. Of course, this also means that If you are running versions previous to the ones listed, then you should update immediately to a version that isn’t affected.

That being said, if you are in need of an update, here’s what to do:

1.Head to  Java.com and click the large red “Java Download” button to download the latest version.

2.It should take you to a page with a red button that says “Agree and Start Free Download”- click the button.

3.Once you have clicked that button, a new application file should appear in the downloads folder on your computer. Open up that file and follow the prompts to install.

4.When prompted, make sure to allow the installer to uninstall older Java downloads so they are off your computer entirely.

5. You're finished!

As always, if you need more help, we're here. Reach out through the  tech support form for answers and assistance from techs, and they will correspond with you as soon as they can.