Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Log4j may be the worst vulnerability yet, says Department of Homeland Security

The US Cybersecurity and Infrastructure Security Agency warns that the newly discovered Log4j vulnerability will affect hundreds of millions of devices and that "no single action will fix the issue."

The vulnerability, CVE-2021-44228, exists in the widely used Java library Apache Log4j. It's classified as a severe zero-day flaw and, if exploited, could allow attackers to perform remote code execution and grant control over affected servers.

Experts at the Cybersecurity and Infrastructure Security Agency, a Department of Homeland Security component, are preparing to create a dedicated website to provide information and counteract "active disinformation."

"We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage," Security Agency Director Jen Easterly said in a phone briefing, as reported by CyberScoop.

CISA's executive assistant director for cybersecurity, Eric Goldstein, anticipates that many groups will exploit the vulnerability, including ransomware groups and crypto miners. However, he notes that the agency has not found evidence of an active supply-chain attack at this time.

"There's no single action that fixes this issue," Jay Gizlay, a member of CISA's vulnerability management office, said on the call. It's a mistake to think anyone is "going to be done with this in a week or two."

The flaw and a proof-of-concept exploit have wreaked havoc across companies that use the popular Log4j Java platform. Impacted firms included Amazon, Apple, Steam, Minecraft, and many others.

According to security researchers, the vulnerability has been found to affect Apple's iCloud platform. At least one provided evidence that they were able to exploit the flaw.



6 Comments

M68000 7 Years · 887 comments

If you are sold on cloud storage of important personal files that is great.  I just encourage you to make your own backup copies of anything you really don’t want to lose.  Put it in safe if necessary and maybe have copy stored in a bank safety deposit box or alternate location if you are fortunate to have multiple residences.   

FileMakerFeller 6 Years · 1561 comments

Oh, the joy of being a software developer, systems administrator, etc. The ubiquity of Java makes this a problem for everyone in my line of work. I have at least three business critical systems that involve log4j THAT I KNOW OF. Naturally, all of them use different versions, will need to be tested with fixes/updates, and are subject to change management procedures. Luckily this hit before the CM freeze that gets applied over the Christmas break.

hexclock 10 Years · 1316 comments

Perhaps we rely on computers a little too much. But it’s too late…they have become almost biological to us. 

beowulfschmidt 12 Years · 2361 comments

Oh, the joy of being a software developer, systems administrator, etc. The ubiquity of Java makes this a problem for everyone in my line of work. I have at least three business critical systems that involve log4j THAT I KNOW OF. Naturally, all of them use different versions, will need to be tested with fixes/updates, and are subject to change management procedures. Luckily this hit before the CM freeze that gets applied over the Christmas break.

Yeah, I've recently been one of the people tasked with bringing some of our "legacy code" (in the Martin Fowler sense of the word) up to snuff.  Fortunately only one of the apps that's exposed to the outside world uses log4j.  Still going to be a bugger implementing the appropriate automated tests in a code base with almost no automated unit or integration tests.

Fortunately, I can't claim credit for the code, it was all created before I joined the org.  Been lobbying to get it fixed for some time, and this gave me the opportunity. 🤣

bobolicious 10 Years · 1178 comments

hexclock said:
Perhaps we rely on computers a little too much. But it’s too late…they have become almost biological to us. 

...I keep asking about the willingness of so many to rely on anything cloud... I understood the internet was invented to more securely fragment rather than concentrate points of attack... Do cloud services turn this upside down and if so to whose benefit...?