...
...
Next Story

Log4j vulnerability: What you need to know about the software bug

Log4j exploits started on December 1 and since then, warnings have been issued by several national cybersecurity agencies.

Published on: Dec 14, 2021 06:27 AM IST
By | Written by , New Delhi
Prefer HTon Google
Advertisement

A flaw in Log4j, a Java library for logging error messages in applications, has prompted governments to issue urgent warnings and forced companies to rush in to fix one of the most serious software flaws.

Log4j vulnerability was reported earlier this month.  (Reuters File Photo)
Log4j vulnerability was reported earlier this month.  (Reuters File Photo)

According to internet infrastructure provider Cloudflare, Log4j exploits started on December 1. Since then, warnings have been issued by several national cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the UK's National Cyber Security Centre (NCSC) and Germany's federal cybersecurity watchdog, the BSI.

Also read | Log4j vulnerability sends cyber defenders scrambling

“To be clear, this vulnerability poses a severe risk,” CISA director Jen Easterly said in a statement Friday. “We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity,” Easterly said.

She added vendors “must immediately identify, mitigate, and patch the wide array of products using this software.”

What is Log4j?

Log4j is open-source software maintained by a group of volunteer programmers as part of the nonprofit Apache Software Foundation and is a key Java-logging framework. Through Log4j, which security experts said is used by millions of applications, that developers can put into applications to monitor, or 'log’, which can help programmers debug software.

Apache noted in its security advisory the issue was first publicly disclosed by a security researcher working for Chinese technology company Alibaba Group Holding Ltd. The flaw in the Log4j software could allow hackers unfettered access to computer systems.

Reports have said the initial exploitation was spotted on December 2, before a patch rolled out a few days later. While a partial fix for the vulnerability was released on Friday by Apache, the maker of Log4j.

What are companies doing to fix software exploit?

Major global companies, including Microsoft Corp and Cisco Inc, are facing pressure to fix what experts are calling one of the most serious software flaws in recent memory.

Microsoft and Cisco have published advisories about the flaw, and software developers released a fix late last week. VMware has also released patches for its affected products respectively.

Also read | 4,000 cyber-attacks on India’s Botanical Survey website in 2 months

Oracle has issued a patch for the flaw, too. "Due to the severity of this vulnerability and the publication of exploit code on various sites, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible," it said.

AWS, which has detailed how the flaw impacts its services, said it is working on patching its services that use Log4j and has released mitigations for services like CloudFront.

IBM, which has confirmed Websphere 8.5 and 9.0 are vulnerable, said it is "actively responding" to the Log4j vulnerability across its infrastructure and its products.

 
Get the latest headlines from US news and global updates from Pakistan, Nepal, UK, Bangladesh, Russia and US Iran war Live, get all the latest headlines in one place on Hindustan Times.
Get the latest headlines from US news and global updates from Pakistan, Nepal, UK, Bangladesh, Russia and US Iran war Live, get all the latest headlines in one place on Hindustan Times.
SHARE THIS ARTICLE ON
Hindustantimes wants to start sending you push notifications. Click allow to subscribe