Log4j Cyber Security Flaw Seriously Concerns Experts

Uploaded on 2021-12-24 in NEWS-Cybersecurity News, FREE TO VIEW

A critical flaw in widely used software has cyber security experts raising alarms and big companies racing to fix the issue. The vulnerability is in Java-based software known as "Log4j" that many large organisations use to configure their applications and it poses potential risks for much of the Internet.

The US Cybersecurity and Infrastructure Security Agency (CISA) has now issued a statement ordering all civilian federal agencies to patch the Log4j vulnerability. 

The Log4j vulnerability is currently being widely exploited by a growing number of threat actors, prompting government officials to take action.

The flaw presents a high threat to companies given its broad use and active exploitation. The issue lies in a commonly used utility that has been incorporated into countless pieces of software because it is open source, meaning anyone can use it. Log4j is principally uses as a tool to log activity for many computer systems. Developed and maintained by a handful of volunteers under the auspices of the open-source Apache Software Foundation, it is extremely popular with commercial software developers. It runs across many platforms, powering everything from webcams to car navigation systems and medical devices, according to the security firm Bitdefender

The flaw in Log4j allows attackers to  seize control of everything from industrial control systems to web servers and consumer electronics. Unless it is fixed, it gives a potential opening to internal networks where cyber criminals can loot valuable data, plant malware, erase crucial information and more. The first obvious signs of the flaw's exploitation appeared in the Microsoft online game Minecraft, when users were able to use it to execute programs on the computers of other users by pasting a short message in a chat box. 

Apache Software Foundation said the Chinese tech giant Alibaba notified it of the flaw on November 24 and the  Foundation rates the risk at 10 out of 10.

CISA is working closely with our public and private sector partners to proactively address a critical vulnerability affecting products containing the log4j software library. "This vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use’  according their latest statement.

CISA has added the harmful flaw to its Known Exploited Vulnerabilities Catalog and created a new landing page for all content regarding the vulnerability. CISA is providing insight to organizations via the Joint Cyber Defense Collaborative that includes numerous US  cybersecurity companies. 

  • The US Department of Homeland Security has ordered federal agencies to urgently eliminate the bug because it is so easily exploitable, and telling those with public-facing networks to put up firewalls if they cannot be sure.
  • In Australia, the Australian Cyber Security Centre has issued a critical alert urging organisations to apply the latest patches to address the weakness.

The Director od CISA, Jen Easterly, was reported describing  the flaw "one of the most serious I've seen in my entire career, if not the most serious".

A wide range of critical industries, including electric power, water, food and beverage, manufacturing and transportation, were exposed, according to cyber security firm Dragos and CISA recommends asset owners take some  immediate steps regarding this vulnerability:

  • Enumerate any external facing devices that have log4j installed. 
  • Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
  • Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.  

CISA's concerns over Log4j highlight the importance of building secure software from the outset and more widespread use of Software Bill of Materials (SBOM), providing end users the transparency they require to know if their products rely on vulnerable software libraries. 

CISA:       Govt. of Australia:        ABC:       Oodaloop:      ZDNet:    CNN:    Indian Express:    CP24:

You Might Also Read: 

Microsoft Will Invest $20Billion In Cyber Security:

 

« Cyber Revolution In The Media & Entertainment Industry
British Plan To Become A ‘Global Cyber Power’ In 2022 »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

AvePoint

AvePoint

AvePoint is an established leader in enterprise-class data management, governance, and compliance software solutions.

Perception Point

Perception Point

Perception Point is a Prevention-as-a-Service company, built to enable digital transformation. Our platform offers 360-degree protection against any type of content-based attack.

InstaSafe Technologies

InstaSafe Technologies

InstaSafe®, a Software Defined Perimeter based (SDP) one-stop Secure Access Solution for On-Premise and Cloud Applications.

Carbide

Carbide

Carbide (formerly Securicy) breaks down enterprise-class security and privacy requirements and makes them accessible to, and achievable by, companies of all sizes.

DANAK

DANAK

DANAK is the national accreditation body for Denmark. The directory of members provides details of organisations offering certification services for ISO 27001.

Romanian Accreditation Association (RENAR)

Romanian Accreditation Association (RENAR)

RENAR is the national accreditation body for Romania. The directory of members provides details of organisations offering certification services for ISO 27001.

Swiss Accreditation Service (SAS)

Swiss Accreditation Service (SAS)

SAS is the national accreditation body for Switzerland. The directory of members provides details of organisations offering certification services for ISO 27001.

MicroEJ

MicroEJ

MicroEJ is a software vendor of cost-driven solutions for embedded and IoT devices.

H3Secure

H3Secure

H3 Secure focuses on Secure Data Erasure Solutions, Mobile Device Diagnostics and Information Technology Security Consulting.

Dhound

Dhound

Dhound is a cybersecurity company providing web application penetration testing.

Wickr

Wickr

Wickr's mission is to secure the world's most critical communications. Wickr provides the highest standard of encryption trusted by millions worldwide.

SafeStack Academy

SafeStack Academy

SafeStack Academy is an online cyber security and privacy education platform. Our content is designed by experts to suit small businesses, growing companies, and development teams.

Advent One

Advent One

Advent One are recognised for solving intricate dilemmas, not only making technology work but building foundations that customers can grow upon in an effective and secure way.

Avatar Managed Services

Avatar Managed Services

Avatar offers proven, process driven IT support to companies who want to utilize their technology to their best advantage.

AI EdgeLabs

AI EdgeLabs

AI EdgeLabs is a powerful and autonomous cybersecurity AI platform that helps security teams respond immediately to ongoing attacks and protect Edge/IoT infrastructures.

Vulnify

Vulnify

At Vulnify, we’re revolutionizing the way businesses identify and manage security vulnerabilities.