We had a very busy weekend at Visma—and so did most security teams and developers across the globe. Although the holidays are approaching, our talented developers have been working continuously since the 9th of December to upgrade our systems and make sure that we are not vulnerable to the latest widespread cyber attack.
This cyber attack is caused by a vulnerability called Log4Shell. Minecraft players were writing a certain code in the game chat that allows them to do anything in the game. Later, many tech websites reported about Tesla, Apache, TeamViewer and Cloudflare among many other services working on patching this vulnerability.
But what is this vulnerability? Does it affect your business? If so, how should you protect your business from it?
Let’s start with some basics.
What is a software vulnerability?
As you might know, any software might have vulnerabilities and security bugs. Security bugs can appear in software for many reasons, and hackers will always try to find new ways to exploit them.
When a vulnerability is known to a software developer like Visma, we fix it as quickly as possible, release updates and security patches that address the issue and remove the threat. This gives hackers and bad actors a very short time to exploit the security bug. But as we will see, sometimes it depends on the end-user more than anything else.
The current widespread bug became known to the public by the 9th of December 2021. The software developer of the code library that has the bug has fixed it, however, it’s up to each user to update the tool to avoid hackers exploiting it. We will explain this later but for now, let’s talk about one of the most used programming languages in the world: Java.
Do you remember our old friend Java?
This coffee cup logo is one of the most recognisable logos in the world. People recognise this logo for various reasons. Maybe you have seen it on your coffee machine screen, toaster, computer, or even some mobile video games.
If you have ever installed Java on your computer to use one of the thousands of software that require it to run, you probably remember the screen saying “more than 3 billion devices run Java”. This is a good indication of how popular this very useful programming language is.
Java is very powerful and requires very little hardware to run. It’s also a relatively old language, released in the mid-1990s. Its old age means that there are many generations of programmers who have used it to write their software.
One thing that programmers often do is to keep logs of certain events on any application. For example, you might want to keep a log of all the IP addresses that people use when visiting your website to know which countries like your content the most. Even when programming a coffee machine, you might want to keep a log of when most people order coffee to arrange your supplies.
One of the many advantages of using a popular programming language like Java is that you will find ready-to-use solutions for the most common programming tasks. Meaning, you don’t have to invent the wheel and program each specific task every time.
Instead, you can use a wide library of software components written by other programmers, mostly for free. These code components are called “libraries” in some cases, like ours.
The vulnerability which we are discussing here was found in a very popular library for Java, and this library helps programmers to keep logs of everything that happens in the application as they like. They also run automated tasks based on these logs, for instance.
You can imagine how useful this library is: it allows programmers to do anything based on any kind of log. Considering the 3 billion devices running Java and how useful this library called Log4j is, you can imagine why a vulnerability like this is dangerous.
What is the Log4shell vulnerability?
The current amazing technology makes us sometimes forget that computers are machines at the end of the day. This means that computers receive and execute orders in a very specific way. The vulnerability found in the log4j library relies on this very simple rule.
Knowing what logging is and how it works, someone discovered that if they created a certain combination of words that was then logged by the server, the server would think it’s code and run that code. This allows the attacker to control the first machine running Java.
So to sum up, if a machine that runs Java and uses log4j allows users to submit any kind of information that is logged, the user can submit code and take over the machine.
That’s how players of Minecraft were able to control the game just by writing this code in the chat. It’s very easy and requires very little knowledge to execute. That’s why it’s a very critical vulnerability.
How to ensure your safety from log4j?
First, you need to know that only some versions of the library suffer from this vulnerability. As with any other known vulnerability, the solution is to update the software to the latest version. Although you might think it’s an easy solution, it’s a bit trickier than you might think.
We can’t underscore this enough but both Java and the log4j library are very popular. You might be using the log4j library every day without realising it because every software nowadays depends on many components from different vendors.
This means that you might direct your IT department to scan for any uses of the library and update it, yet you still might be using a component or even a different software from a third-party vendor who didn’t make the update, thus you’re vulnerable to a supply chain attack.
Our efforts to address Log4shell
Since Visma’s security efforts ensure good security practices all the time, we try to keep all of our systems up to date at all times regardless of this vulnerability. Because our customer’s safety comes first, we spent the weekend performing different scans on our infrastructure, making sure that the affected library is updated across our services.
While there are other factors that are out of our control such as other vendors being vulnerable, our internal process of choosing vendors and partners values the security and the reputation of all of our vendors. That way, we can always assure our customer’s data safety.
What should I do if I’m a Visma customer?
All you need to do is to keep enjoying our Visma software. As the biggest Software as a Service (SaaS) provider in Europe, most of our provided software is cloud-based. Our business model allows us to fix these security bugs across our applications without you as a customer doing anything from your side. Your services on the Visma cloud mean that your applications will always be up-to-date and secure.
Learn more about how we work with security and privacy at Visma in our Trust Centre.