Companies around the world are racing to patch a critical zero-day vulnerability that is among the worst ever found.
Cyber security experts and government officials began warning Friday of a critical bug in “Log4j,” a Java-based logging framework used in Apache. As news of the vulnerability became known, the list of impacted companies grew to include some of the biggest in the world.
Palo Alto Networks reported that iCloud, Twitter, Amazon, Baidu and Minecraft were impacted, to name just a few. Even worse, the vulnerability is actively being exploited and attacked, putting many companies at risk.
The director of the Cybersecurity & Infrastructure Security Agency (CISA) issued a statement outlining the seriousness of the vulnerability.
“We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity. We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies — and signals to non-federal partners — to urgently patch or remediate this vulnerability. We are proactively reaching out to entities whose networks may be vulnerable and are leveraging our scanning and intrusion detection tools to help government and industry partners identify exposure to or exploitation of the vulnerability.
To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”
Cybersecurity experts are echoing CISA’s assessment of the danger, calling the vulnerability a major issue for the tech and cybersecurity community.
Dr. Richard Ford, CTO of cybersecurity research firm Praetorian, told WebProNews the Log4j is even worse than other, widely reported vulnerabilities.
“Praetorian researchers weaponized the vulnerability within hours and have a fully working exploit that we can use in the field,” said Dr. Richard Ford. “As background, Praetorian is an Austin-based cybersecurity solutions company that helps solve complex cybersecurity problems across critical enterprise assets and product portfolios. Their combination of software and security expertise puts them at the forefront of vulnerabilities such as this. Earlier this year, Praetorian was at the forefront of another critical vulnerability, proxylogon. The company says, as critical as proxylogon was to resolve, it had a much smaller potential impact than Log4j.
“The company’s engineers and researchers have been working since last night in a war room to scan its customers and are finding vulnerabilities in the field. Worse yet, we’re also inadvertently discovering the vulnerability in 3rd parties who are on adjacent or integrated systems. Naturally, we are following responsible disclosure policies so cannot call out these systems by name, but it is one of the largest exposures we have seen at Internet scale. All vulnerabilities are typically scored by how dangerous they are: this vulnerability has practically the highest score possible, and it seems likely that even some professionals are unaware of its potential impact. The situation is rapidly evolving, and we are learning a great deal about the scope and impact of this vulnerability as we quickly work with customers to help mitigate the risk in the short term while they work on a long term solution, which will require patching all instances of the vulnerable code – a process which could take months.”
Due to Log4J’s widespread use, experts believe companies will continue to come under attack in the coming days as mitigation efforts are being taken.
“ This vulnerability feels similar to ShellShock, first identified in 2014, and still observed by GreyNoise,” Andrew Morris, Founder and CEO of cybersecurity firm GreyNoise told WebProNews. “Due to ease of exploitation and prevalence of Log4J, GreyNoise researchers believe that this activity will continue to increase over the next few days.”