Amber Neely
The US Cybersecurity and Infrastructure Security Agency warns that the newly discovered Log4j vulnerability will affect hundreds of millions of devices and that "no single action will fix the issue."
The vulnerability, CVE-2021-44228, exists in the widely used Java library Apache Log4j. It's classified as a severe zero-day flaw and, if exploited, could allow attackers to perform remote code execution and grant control over affected servers.
Experts at the Cybersecurity and Infrastructure Security Agency, a Department of Homeland Security component, are preparing to create a dedicated website to provide information and counteract "active disinformation."
"We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage," Security Agency Director Jen Easterly said in a phone briefing, as reported by CyberScoop.
CISA's executive assistant director for cybersecurity, Eric Goldstein, anticipates that many groups will exploit the vulnerability, including ransomware groups and crypto miners. However, he notes that the agency has not found evidence of an active supply-chain attack at this time.
"There's no single action that fixes this issue," Jay Gizlay, a member of CISA's vulnerability management office, said on the call. It's a mistake to think anyone is "going to be done with this in a week or two."
The flaw and a proof-of-concept exploit have wreaked havoc across companies that use the popular Log4j Java platform. Impacted firms included Amazon, Apple, Steam, Minecraft, and many others.
According to security researchers, the vulnerability has been found to affect Apple's iCloud platform. At least one provided evidence that they were able to exploit the flaw.
Andrew Orr
Christine McKee
Sponsored Content
Wesley Hilliard
AppleInsider Staff
6 Comments
If you are sold on cloud storage of important personal files that is great. I just encourage you to make your own backup copies of anything you really don’t want to lose. Put it in safe if necessary and maybe have copy stored in a bank safety deposit box or alternate location if you are fortunate to have multiple residences.
Oh, the joy of being a software developer, systems administrator, etc. The ubiquity of Java makes this a problem for everyone in my line of work. I have at least three business critical systems that involve log4j THAT I KNOW OF. Naturally, all of them use different versions, will need to be tested with fixes/updates, and are subject to change management procedures. Luckily this hit before the CM freeze that gets applied over the Christmas break.
Perhaps we rely on computers a little too much. But it’s too late…they have become almost biological to us.