Log4j Cyber Security Flaw Seriously Concerns Experts

A critical flaw in widely used software has cyber security experts raising alarms and big companies racing to fix the issue. The vulnerability is in Java-based software known as "Log4j" that many large organisations use to configure their applications and it poses potential risks for much of the Internet.

The US Cybersecurity and Infrastructure Security Agency (CISA) has now issued a statement ordering all civilian federal agencies to patch the Log4j vulnerability. 

The Log4j vulnerability is currently being widely exploited by a growing number of threat actors, prompting government officials to take action.

The flaw presents a high threat to companies given its broad use and active exploitation. The issue lies in a commonly used utility that has been incorporated into countless pieces of software because it is open source, meaning anyone can use it. Log4j is principally uses as a tool to log activity for many computer systems. Developed and maintained by a handful of volunteers under the auspices of the open-source Apache Software Foundation, it is extremely popular with commercial software developers. It runs across many platforms, powering everything from webcams to car navigation systems and medical devices, according to the security firm Bitdefender

The flaw in Log4j allows attackers to  seize control of everything from industrial control systems to web servers and consumer electronics. Unless it is fixed, it gives a potential opening to internal networks where cyber criminals can loot valuable data, plant malware, erase crucial information and more. The first obvious signs of the flaw's exploitation appeared in the Microsoft online game Minecraft, when users were able to use it to execute programs on the computers of other users by pasting a short message in a chat box. 

Apache Software Foundation said the Chinese tech giant Alibaba notified it of the flaw on November 24 and the  Foundation rates the risk at 10 out of 10.

CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library. "This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use’  according their latest statement.

CISA has added the harmful flaw to its Known Exploited Vulnerabilities Catalog and created a new landing page for all content regarding the vulnerability. CISA is providing insight to organizations via the Joint Cyber Defense Collaborative that includes numerous US  cybersecurity companies. 

  • The US Department of Homeland Security has ordered federal agencies to urgently eliminate the bug because it is so easily exploitable, and telling those with public-facing networks to put up firewalls if they cannot be sure.
  • In Australia, the Australian Cyber Security Centre has issued a critical alert urging organisations to apply the latest patches to address the weakness.

The Director od CISA, Jen Easterly, was reported describing  the flaw "one of the most serious I've seen in my entire career, if not the most serious".

A wide range of critical industries, including electric power, water, food and beverage, manufacturing and transportation, were exposed, according to cyber security firm Dragos and CISA recommends asset owners take some  immediate steps regarding this vulnerability:

  • Enumerate any external facing devices that have log4j installed. 
  • Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
  • Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.  

CISA's concerns over Log4j highlight the importance of building secure software from the outset and more widespread use of Software Bill of Materials (SBOM), providing end users the transparency they require to know if their products rely on vulnerable software libraries. 

CISA:       Govt. of Australia:        ABC:       Oodaloop:      ZDNet:    CNN:    Indian Express:    CP24:

You Might Also Read: 

Microsoft Will Invest $20Billion In Cyber Security:

 

« Cyber Revolution In The Media & Entertainment Industry
British Plan To Become A ‘Global Cyber Power’ In 2022 »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Assure Technical

Assure Technical

Assure Technical offers a holistic approach to Technical Security. Our expertise and services span across the Physical, Cyber and Counter Surveillance domains.

LRQA

LRQA

LRQA are a leading global assurance provider, bringing together unrivalled expertise in certification, brand assurance, cybersecurity, inspection and training.

Stott & May

Stott & May

Stott & May is a specialist cyber security recruitment agency.

Synack

Synack

Synack provides a hacker-powered intelligence platform that uncovers security vulnerabilities that often remain undetected by traditional pen testers and scanners.

Excellium Services

Excellium Services

Excellium’s Professional Services team combines expertise and experience that complements your in-house security resources.

Spanish Network of Excellence on Cybersecurity Research (RENIC)

Spanish Network of Excellence on Cybersecurity Research (RENIC)

RENIC is a membership based sectoral association that includes research centers and other agents of the research cybersecurity ecosystem in Spain.

Hardenite

Hardenite

Hardenite solution helps R&D, DevOps and IT teams to continuously manage security risks and hardening efforts of any Linux OS – based product, throughout the product life cycle.

BHC Laboratory

BHC Laboratory

BHC Laboratory is a cyber capabilities’ development company for a wide range of global customers.

Zymbit

Zymbit

Zymbit provides hardware security modules (HSM) for IoT devices, including Raspberry Pi and other single board computers.

SAP National Security Services (NS2)

SAP National Security Services (NS2)

SAP NS2 are dedicated to delivering the best of SAP innovation, from cloud to predictive analytics; machine learning to data fusion.

Ribbon Communications

Ribbon Communications

Ribbon Communications delivers global communications software and network solutions to service providers, enterprises, and critical infrastructure sectors.

Cyphra

Cyphra

Cyphra’s team provide cyber security consulting, technical and managed services expertise and experience to support your organisation.

Tetra Defense

Tetra Defense

Tetra Defense is a leading incident response, cyber risk management and digital forensics firm.

Cyber Coaching

Cyber Coaching

Cyber Coaching is a community for enhancing technical cyber skills, through unofficial certification training, cyber mentorship, and personalised occupational transition programs.

GTT Communications

GTT Communications

GTT are a global network provider that serves thousands of multinational and national enterprise, government and carrier customers with a portfolio of advanced connectivity and security services.

Telesign

Telesign

Telesign connect, protect, and defend online experiences with sophisticated digital identity and programmable communications solutions.