Learn about Log4j's vulnerability in a few slides.
Let's go!
Find this slideshow: https://martinheywang.github.io/slideshow-log4j-vulnerability
Chapter One
Disclaimer
The following definitions have been made completely by myself, and may not be as accurate as possible. They are made so that non-programmers can still understand the content of the slideshow.
A vulnerability in the field of computer science is a bug in a piece of software that may be leveraged for harmful purposes.
A hacker is a people whose role is to find vulnerabilities.
A precision though
A hacker is not necessarily evil. He can be paid by a company to find vulnerabilities on their products, for example.
A library is a piece of software that can be used by other programs. It often simplifies hard and/or repetitive tasks.
Synonyms : framework, package...
Chapter Two
arrow_forwarda concept
Any running process needs to log a precise backtrace. That way, if the process fails, the developers will be able to find out what happened.
Think of logging like a crime scene
After a crime, police officers will try to find evidences and ask witnesses.
If a process fails, the developers will watch the logs in order to find out what happened.
Example log: "message"
Warming up...
Downloading new version (46 MB)
No internet connection. Aborting.
Process "update" exited with code 1
-> the library
Logging for Java (Java being a programming language) is the vulnerable library.
It is spread worldwide and used in many systems, like Minecraft or Amazon Web Services.
arrow_forwarda feature
Templates are a feature from Log4j that allows developers to replace a specific string of characters by a dynamic value, such as the current date and time.
For example: "${date}" would be replaced by "1999/12/31 23:59:59.999".
Real-world example for templates
Imagine you are chatting with someone :
Templates are the way of saying that to a computer.
Example log: "${date} message"
2022/01/05 13:43:28.381 Warming up...
2022/01/05 13:43:29.390 Downloading new version (46 MB)
2022/01/05 13:43:32.405 No internet connection. Aborting.
Process "update" exited with code 1
arrow_forwardwhat's wrong?
Templates can do much more that adding a date at the beginning of a message, like executing code.
That way, any app is vulnerable as soon as it uses Log4j and logs user inputs, like a username. If this username looks like a template, Log4j will evaluate it and do whatever it says, like executing a malicious code.
Chapter Three
arrow_forwardthen what?
Log4j has already been fixed, simply disabling this feature by default.
But each individual app now needs to update its own version of Log4j, a step which might be more complicated than it seems.
arrow_forwarda concept
Each app may rely on multiple libraries, and each of these libraries may rely on other ones, in different versions, just like you rely on a supermarket for your food.
Some app do not even know that they rely on Log4j under the hood. They may not even be aware that they are vulnerable. They won't update their version of Log4j.
arrow_forwarda concept
In some cases, updating a library causes breaking changes: this means that changes will have to be made in order for the app to function, adding no feature at all.
Fixing a single vulnerability may in fact open the door to other unknown vulnerabilities.
Sources
Settings
Share this slideshow!
https://martinheywang.github.io/slideshow-log4j-vulnerabilityModes click to toggle
Not found!
Sorry! The slide you are requesting was not found. The simplest thing you can do is go home.