It’s being called the “worst bug impacting the Internet in the last 5 years, at least,” according to Matthew Price, CEO of the web security company Cloudflare.
“The single biggest, most critical vulnerability of the last decade,” said cybersecurity firm Tenable CEO Amit Yoran.
Price and Yoran are talking about “Log4Shell,” a new exploit found in log4j2, an open-source Java logging library Java-based logging typically found on Apache web servers. Developers implement it into applications in order to record app activity.
According to Wired, it’s not hard for a hacker to exploit the flaw. A bad actor simply needs to send malicious code that will eventually get logged by log4j2. From there, the attacker would be able to fully take control of a server remotely.
Just how bad is this?
Log4j is commonly used on an untold number of servers. The issue can basically strike large swaths of the internet. Apple iCloud, social media services like Twitter, online gaming platforms like Minecraft and Steam are all affected.
Lets take the popular Microsoft-owned video game Minecraft, for example. The game has already been hit by attackers exploiting Log4Shell. As cybersecurity expert Mark Hutchins explained, all a bad actor had to do was paste a “short message into the chat box” in the game and they were able to compromise Minecraft’s servers.
Minecraft developers have since patched the exploit in the game and users have been urged to update their app. However, countless other applications, platforms, and services remain vulnerable.
“I’d be hard-pressed to think of a company that’s not at risk,” said Cloudflare chief security officer Joe Sullivan to AP.
According to cybersecurity firm CrowdStrike Senior VP of Intelligence Adam Meyers, the vulnerability has already been “fully weaponized” as nefarious actors have already created tools to exploit it.
“The internet’s on fire right now,” Meyers said. “People are scrambling to patch and all kinds of people are scrambling to exploit it.”