"A flaw in a widely used piece of free internet software is prompting companies to rush to update their systems and prevent cyberattacks, but the technology's ubiquity means the threat could affect businesses for months, security researchers say.
Corporate security executives say they hurried over the weekend to assess whether and how their computer networks use the software, Log4j, while waiting for vendors to disclose the risk to their own technologies and issue software updates to mitigate the threat. The bug was disclosed Thursday.
Log4j is used on computer servers to keep records of users' activities so they can be reviewed later by security or software development teams. The nonprofit Apache Software Foundation, a group that distributes the open-source tool at no cost, has said it has been downloaded millions of times.
People need to upgrade to get the fix, said Ralph Goers, a volunteer with the foundation.
The flaw is particularly dangerous given the widespread use of Log4j on corporate networks and the ease with which hackers could exploit the vulnerability, security experts say. Attackers could use the bug to break into computer networks to steal sensitive data, prepare for ransomware attacks, or create backdoors that will allow them to maintain access to corporate systems even after the flawed software has been patched.
The Log4j framework is used in at least 250,000 open-source software projects cataloged by Fortress Information Security, which analyzes suppliers to critical-infrastructure businesses including power companies and defense contractors, said Tony Turner, vice president of security solutions. Developers sometimes build software atop existing tools without fully understanding the underlying code, he said, potentially obscuring flaws such as the Log4j vulnerability.
It could take many tech vendors a week or two to patch software affected by the vulnerability, Mr. Turner said. "But let's look at the calendar, what's happening in two weeks? Christmas," he said. "It's quite likely we won't see any concerted patching efforts till the new year."
The vulnerability poses the latest threat to the supply chains that help the digital economy run, already under scrutiny from companies and governments since Russian hackers allegedly breached U.S. agencies through a compromised SolarWinds Corp. tool last year.
U.S. officials in recent days called on suppliers affected by the Log4j vulnerability to update their software and contact customers. The Cybersecurity and Infrastructure Security Agency said it planned to hold an emergency call Monday to share more information with critical infrastructure operators. CISA didn't respond to a request for additional comment.
Experts say they expect a ransomware attack using the vulnerability to happen soon.
"I think it's a matter of hours before we see this," said Arijo Nazari Azari, chief information security officer of Evonik Industries AG. Mr. Azari on Monday said the German chemical company's security team spent the weekend working to pinpoint vulnerabilities across its information-technology infrastructure. His team first scanned internet-facing systems before moving to internal platforms.
Evonik shut down an online learning platform for employees as a precaution after identifying the Log4j software in the platform's software stack, he said." [1]
1. Business-Software Bug Brings Warning
Uberti, David; Stupp, Catherine. Wall Street Journal, Eastern edition; New York, N.Y. [New York, N.Y]. 14 Dec 2021: B.4.
Komentarų nėra:
Rašyti komentarą