As you may have noticed, this past week saw major warnings for major Java applications or web services using Java and Log4j 2.x earlier than 2.15.0. You may wonder, how might this affect you and how can you tell if you are affected?
The main concern with the new Java vulnerability is web accessible servers, computers that run public websites and services, that are built in Java. Often these will be logging various data and events, and with certain crafted inputs a vulnerability in log4J will not just log events for debugging, but run things that an attacker wants to run… Until this is patched in every affected system, Wired says, it may cause problems for years to come.
A second possibility for infection could be the Java applications on your laptop or device. Android apps are generally Java apps, but most often use the Android logging system rather than importing Log4j.
On your desktop, specific Java applications could be affected while running them, or running with untrusted input or in untrusted network environments. Libreoffice is said to be safe, but it is possible other Java applications are running on your machine. On a Linux or Mac based computer, you can see a list of currently running Java apps/services by running this in the terminal:
ps aux | grep 'java'
This looks for processes on the system, searches the output (“grep“) for the Java command.
It is possible we will see new hacks on popular services due to this vulnerability, so it is as good a time as ever to check the Firefox Monitor, to see if, and what personal information is leaked on the internet or dark-web.