For a few days now, many companies, public authorities and private individuals have been in a frenzy. A security vulnerability called "Log4Shell" is currently known, which could acutely endanger billions of computer systems worldwide. We present the problem to you and tell you what you need to do in the area of data protection.
What is Log4Shell?
Log4Shell is the name of the critical vulnerability in the Log4j logging library for Java applications published by the German Federal Office for Information Security (BSI) under the number CVE-2021-44228. The BSI warned about the Log4j vulnerability on 10 December 2021 (cf. https://www. bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldungen/Schwachstelle_Log4j_211210.html) and published a comprehensive security warning at https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2021/2021-549032-10F2.pdf;jsessionid=3C50F883BFF514E43FD34EF00F02D36F.internet081?__blob=publicationFile&v=8.
What is Log4j?
Log4j is a so-called logging library for Java applications. Essentially, Log4j is used to log error notifications of a Java application. Log4j is an open-source application that is very powerful and easy to integrate. For this reason, Log4j is widely used worldwide and in some cases deeply embedded in computer systems.
Who uses Log4j?
Log4j is used in data centres and enterprise servers, but also by small and medium-sized enterprises, because of its ease of use and high speed. However, it can also be assumed that applications with Log4j components will be used by end users.
Amazon, Apple iCloud, Cisco, Cloudflare, ElasticSearch, Red Hat, Steam, Tesla and Twitter, for example, use Log4j libraries.
What is so dangerous about Log4Shell?
Apparently, only beginner skills are required to exploit the vulnerability. It is sufficient for an attacker to enter a certain command sequence on the compromised computer system. Through this command sequence, the attacker would already be able to completely control the computer system and gain access to further areas of the computer system. Alternatively or additionally, the attacker could reload further malicious code, e.g. to install backdoors.
Is Log4Shell already being exploited?
According to information from the BSI and many IT security companies, Log4Shell is already being actively and massively exploited.
According to initial reports, attackers are said to use infected computer systems for cryptomining. Cryptomining uses the computing power of a computer system to mine cryptocurrencies. The mining of cryptocurrencies is particularly computationally intensive.
It is also feared that perfidious attackers will first install one or more backdoors unnoticed and then wait. Even if the Log4Shell vulnerability is closed, the backdoors could continue to function. In this way, attackers could still be siphoning off data from the compromised computer systems weeks or months from now.
Of the German supervisory authorities, only the Hessian Commissioner for Data Protection and Freedom of Information has published a statement on Log4Shell at https://datenschutz.hessen.de/pressemitteilungen/unmittelbarer-handlungsbedarf-wegen-schwachstelle-in-java-bibliothek-log4j as of 14 December 2021. However, there is no concrete indication of when a reportable violation is to be assumed.
What do you have to do now?
- You must check or have checked as soon as possible whether your computer system is affected by Log4Shell. If so, you must close the vulnerability immediately to prevent damage to your computer system. Keep in mind that the BSI notification is already dated 10.12.2021.
- If your computer system is affected by Log4Shell, you must also immediately check or have checked whether an attacker has already manipulated your computer system, whether by entering control commands or by reloading further malicious code. You should check all entries and installations carefully and then undo and/or delete them. Do not forget to document your activities precisely!
- If you also process personal data with your computer system, you must also immediately check whether and, if so, to what extent personal data has been leaked and/or manipulated. If you have discovered this, you must report these breaches of personal data protection to the supervisory authority in accordance with Article 33 of the General Data Protection Regulation (GDPR). This notification must be received without delay and, if possible, within 72 hours of becoming aware of it.
- Be sure to involve specialists in the technical and legal review. The fine alone for exceeding the 72-hour deadline can be considerable and, depending on the severity of the personal data involved, can also threaten your very existence.
We are available to you as advisors in the entire area of IT/IP and data protection law due to our many years of experience. If you have a "Log4 Shell problem" in your company, please contact us immediately.
GoldbergUllrich Lawyers 2021
Julius Oberste-Dommes LL.M. (Information Law)
Lawyer and
Specialist lawyer for information technology law
