Java is one of the most widely used programming languages in the world; it can be found in Windows computers as well as in smartphones and game consoles.
Java libraries are software modules that are used to implement certain functionalities in other products.
So it is not something that private PC users deal with on a daily basis, it is a matter for IT professionals who, for example, take care of computer servers.
Thiemo Heeg
Editor in business.
Follow I follow
And yet this news does not leave laypeople unaffected: A critical vulnerability (Log4Shell) was discovered in the widespread Java library Log4j, which prompted the Federal Office for Information Security (BSI) to take a far-reaching step.
On Saturday, the BSI upgraded its cybersecurity warning.
Now the highest - "Red warning level" applies.
That means: The IT threat situation is extremely critical.
And in this case, according to the BSI, there is a risk: "Failure of many services, regular operations cannot be maintained."
Effects "on countless other products"
Now, on the weekend, neither the Amazon or Twitter pages nor the Internet as a whole were down. And yet the experts at the Bonn IT security authority are worried. After all, the product in question is very widespread, and this is associated with effects "on countless other products". The weak point is also easy to exploit. There is a publicly available proof of concept, a so-called proof-of-concept. In the worst case, hackers could take over an affected system completely. The security experts have already established that this is not just a matter of theory. “The BSI is aware of mass scans across the world and Germany, as well as attempted compromises. The first successful compromises are also reported publicly. "
Of course, this is not really a big surprise: As soon as software vulnerabilities become known in the IT world, cybercriminals step in to try to exploit them. In the case of the Log4j Java library, much is still unclear. "According to the BSI's assessment, the full extent of the threat situation cannot currently be conclusively determined," admits the authority. There is already a security update, but all products that use Log4j also have to be adapted. Which products are these and for which are there already updates? "Currently not completely clear and therefore to be checked on a case-by-case basis," it says. At least one can expect that further products will be recognized as vulnerable in the coming days.
The computer portal heise.de points out that among other things services from Apple, Twitter, Steam, Amazon "and probably a lot of smaller offers" are affected.
Administrators should take action urgently, so the advice.
Meanwhile, IT security companies and Java specialists are working to plug the vulnerability.
The firewall specialist Cloudflare is building a mechanism for its customers to block attacks.
Experts warn that it is not just online systems that are at risk.
A QR scanner or a contactless door lock could also be attacked if they used Java and Log4j, it is said.
The BSI advised companies and organizations in particular to install updates as soon as they are available for individual products.