log4j: Tech companies scramble to fix software vulnerability that ‘threatens entire internet’

Hackers are already exploiting vulnerability to steal data and credentials, and to install crypto miners in affected systems, tech companies say

Vishwam Sankaran
Tuesday 14 December 2021 01:13 EST
Comments
The vulnerability, known as Log4shell, was identified in Apache’s Log4j software library that helps developers keep track of changes in the applications they build
The vulnerability, known as Log4shell, was identified in Apache’s Log4j software library that helps developers keep track of changes in the applications they build (AFP via Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Tech companies across the world are under pressure to fix a software vulnerability that many cybersecurity experts are calling one of the worst to be discovered in recent years.

The vulnerability, known as Log4shell, was identified in Apache’s Log4j software library that helps developers keep track of changes in the applications they build.

The software flaw was first noticed on sites catering to the popular video game Minecraft, and was officially reported to Apache on 24 November by Chen Zhaojun of Alibaba, according to Crowdstrike.

But it soon became clear that the vulnerability had far-reaching implications since the software is ubiquitous, used in millions of applications across the internet, including Amazon Web Services, Apple’s iCloud, and the video game distribution service Steam.

Experts say the vulnerability can allow hackers to control java-based web servers and enable them to execute remote code execution (RCE) attacks, which they may use to take control of affected systems.

Major tech companies including Microsoft, IBM, Cisco, and Google, as well as government agencies such as the Cybersecurity and Infrastructure Security Agency (CISA) in the US have found that some of their services were vulnerable and issued advisories and guidelines on how best to tackle the threat.

There are already reports that hackers are mass scanning servers, and attempting to thumbprint and identify vulnerable systems, Microsoft noted in a statement.

The tech giant added that post-scanning, there have also been exploitation and post-exploitation activities observed.

Once hackers gain full access and control of an application, depending on the vulnerabilities the attackers exploit, they can also perform a myriad of objectives such as installing crypto coin miners, credential theft, and data exfiltration, Microsoft noted.

“Log4j is very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information. An unauthenticated remote actor could exploit this vulnerability to take control of an affected system,” CISA noted in a statement.

CISA director Jen Easterly said the vulnerability was already being “widely exploited by a growing set of threat actors”, adding that the agency was working closely with public and private sector partners in the US to proactively address the vulnerability.

“To be clear, this vulnerability poses a severe risk. We will only minimise potential impacts through collaborative efforts between government and the private sector. We urge all organisations to join us in this essential effort and take action,” Ms Easterly added.

Companies have strongly urged customers managing applications with Log4j2 to update to the latest version, or their operating system’s software update mechanism.

Microsoft-owned Minecraft noted that the exploit has been “addressed with all versions of the game client patched”. But it added that users would still need to take additional steps such as looking out for new software updates to secure the game and their own servers.

Cisco said several of its products, including the widely used Cisco Webex Meeting server, are vulnerable, adding that it is investigating if more of its applications are at risk.

Google said it is currently working with VMWare and would deploy fixes as they become available.

Since many organisations, especially in the developing world, do not have a clear audit of the software they use, experts say one of the biggest challenges in countering the threat would be in keeping track of the hundreds of millions of devices that are likely affected.

In its advisory, UK’s National Cyber Security Centre has advised all organisations to install the latest updates immediately wherever Log4j is known to be used.

“Affected UK organisations should report any evidence of compromise relating to this vulnerability to the NCSC via our website,” it added.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in