Major global companies are facing pressure to fix what experts are calling one of the most serious software flaws in recent memory. The flaw in the Log4j software could allow hackers unfettered access to computer systems and has prompted an urgent warning by the US government’s cybersecurity agency.
Microsoft Corp and Cisco Inc have published advisories about the flaw, and software developers released a fix late last week. But a solution depends on thousands of companies putting the fix in place before it is exploited.
“This is probably the worst security vulnerability in at least the last 10 years — maybe longer,” said Charles Carmakal, the chief technology officer for cybersecurity firm Mandiant Inc. He said Mandiant received requests from several major companies in the last few days for help.
Alibaba Group’s cloud-security team recently discovered the flaw, according to the nonprofit Apache Software Foundation, which maintains Log4j.
The vulnerability effectively allows hackers to take control of a system. Because the faulty computer code is baked into the software of all sorts, updating it is a painstaking process.
“To be clear, this vulnerability poses a severe risk,” Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency, said in a statement Friday. Vendors “must immediately identify, mitigate, and patch the wide array of products using this software,” she said.
VMWare Inc, which makes computer-virtualisation software, said Thursday that several of its products were likely affected by the Java-based Log4j.
Amit Yoran, the CEO of Tenable Inc., which makes widely used vulnerability-scanning software, said the Log4j flaw is so ubiquitous that, among customers running Tenable’s scanning products, at least three systems a second are reporting they’re affected.
“We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity,” Easterly said, adding that CISA has cataloged the vulnerability — requiring US federal civilian agencies to fix it promptly. As of Saturday, the agency hasn’t identified compromises in federal systems.