But what can we as regular users do?
We as end users? Nothing, only those who run the servers are able to solve this vulnerability - which was patched on the latest version 2.15[1] - and we, as end users, simply have to trust that whoever has our data stored - as small as it is - will implement this update as soon as possible.
This attack does not target us, it targets servers. So it's important to not leave your personal info everywhere, which is easier said than done, as sites like Amazon or Ebay require it for deliveries.
While it doesn't attack end users
per se, it can be used very easily to obtain, for example, the details of a user in a specific service (take, as an extreme example, your Amazon account data). While CloudFlare posted an informative analysis regarding the vulnerability itself[2]and how it was tackled inside of the company[3]. For those who are not so tech savvy - as myself - I found this explanation[4] over at Reddit quite good:
Answer: Many, many servers including many internet servers use a programming language called Java. Java has been around for a quarter of a century at this point, which in computer technology time, is a very long time indeed. In other words there's lots and lots of servers out there that use Java.
Something that almost every server must do is, over time, generate logs of text. For example "At 12:23pm user 67456 submitted a review for product 7635824: This is the best toothbrush I've ever purchased!".
One of the oldest Java plugins (called libraries) for logging things in a server is called Log4J which has been around for 20 years now. In other words there's lots and lots of servers out there that use Log4J.
It turns out that some versions of Log4J have a critical vulnerability where if a specially formatted piece of text is saved to a log that is handled by Log4J, an arbitrary command can be executed in that server. So for example, "At 12:23pm user 67456 submitted a review for product 7635824: {send user 82738's private account details to badguy267@evil.scammers.com}"
These examples are simplified a lot, but they hopefully communicate the basic nature of the threat.
Unfortunately, as an individual, there's not a lot that you can do about any of this. First off, it's difficult to know which of the internet services that you use depend on Java. Secondly, it is virtually impossible to know which of these services use Log4J. Thirdly, it is even more impossible to know which versions of Log4J they are using.
[1]
https://logging.apache.org/log4j/2.x/download.html[2]
https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/[3]
https://blog.cloudflare.com/how-cloudflare-security-responded-to-log4j2-vulnerability/[4]
https://libreddit.spike.codes/r/OutOfTheLoop/comments/rdtoqo/whats_going_on_with_an_internet_exploit_called/ho3hofk/ -> From here on now, I'll always be using libreddit when pointing out links for Reddit. For more information about it, you can check out
this post by the developer (Essentially it's a private front-end for Reddit.)