The US Cybersecurity and Infrastructure Security Agency warns that the newly discovered Log4j vulnerability will affect hundreds of millions of devices and that "no single action will fix the issue."
The vulnerability, CVE-2021-44228, exists in the widely used Java library Apache Log4j. It's classified as a severe zero-day flaw and, if exploited, could allow attackers to perform remote code execution and grant control over affected servers.
Experts at the Cybersecurity and Infrastructure Security Agency, a Department of Homeland Security component, are preparing to create a dedicated website to provide information and counteract "active disinformation."
"We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage," Security Agency Director Jen Easterly said in a phone briefing, as reported by CyberScoop.
CISA's executive assistant director for cybersecurity, Eric Goldstein, anticipates that many groups will exploit the vulnerability, including ransomware groups and crypto miners. However, he notes that the agency has not found evidence of an active supply-chain attack at this time.
"There's no single action that fixes this issue," Jay Gizlay, a member of CISA's vulnerability management office, said on the call. It's a mistake to think anyone is "going to be done with this in a week or two."
The flaw and a proof-of-concept exploit have wreaked havoc across companies that use the popular Log4j Java platform. Impacted firms included Amazon, Apple, Steam, Minecraft, and many others.
According to security researchers, the vulnerability has been found to affect Apple's iCloud platform. At least one provided evidence that they were able to exploit the flaw.