Services of major tech companies are currently facing what experts are calling one of the most serious software flaws in recent times—Log4j vulnerability. The flaw in the Log4j software could allow hackers unfettered access to computer systems and has prompted an urgent warning by the US government’s cybersecurity agency.
The new vulnerability affects the widely used library Log4j which was created by Apache, the most widely used web server. The Log4j vulnerability allows remote code execution by simply typing a specific string into a textbox. It was first discovered by Minecraft players but soon it was realised that this vulnerability wasn’t just a Minecraft exploit, but works on every program using the Log4j library.
To understand how Log4j functions, check out our recent article where we dig more about the exploit and its workings. It should be noted that this bug doesn’t affect all versions of Log4j , and only affects the versions between 2.0 and 2.14.1.
Interestingly, the Log4j exploit is one of the worst vulnerabilities we have had in the last 10 years. Here’s how tech companies are responding to the security flaw that is potentially capable of putting the entire internet at risk.
Microsoft said Saturday that Log4j vulnerability, will not only affect machines that mine cryptocurrencies but can cause more serious problems such as credential and data theft.
The tech giant said that its threat intelligence teams have been tracking attempts to exploit the remote code execution (RCE) vulnerability that was revealed late on Thursday.
In its post, Microsoft said that “at the time of publication, the vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed.”
In a separate blog post, the Microsoft Security Response Center wrote that its security teams “have been conducting an active investigation of our products and services to understand where Apache Log4j may be used,” adding that if the company identifies any customer impact, it will notify them immediately.
Google Cloud in its security advisory notes that it is actively following the security vulnerability. “We are currently assessing the potential impact of the vulnerability for Google Cloud products and services. This is an ongoing event and we will continue to provide updates through our customer communications channels.”
The company, like others, has advised all its users who manage environments containing Log4j to update to the latest version.
VMWare Inc, which makes computer virtualisation software, said Thursday that several of its products were likely affected by the Java-based Log4j. The cloud computing company listed all of its products and versions that are affected by the vulnerability.
The company further noted that as of Saturday, its services are protected and operational. “Some customers with overly permissive management gateway firewall rules have had action taken to reduce their exposure from scanning and exploit activity occurring across the Internet. Those affected have seen direct communications from VMware,” the company added in its blog post.
All environments are different, have different tolerance for risk, and have different security controls and defense-in-depth to mitigate risk, related to Log4j exploit “so the decision on how to proceed is up to you. However, given the severity, we strongly recommend that you act,” the company recommends all of its users to update the patch immediately.
Cisco Talos observed attacker activity beginning December 2. The company notes that additional vectors could be used to trigger the vulnerability.
Log4j is commonly used in a wide variety of software running on systems in addition to traditional web servers, meaning it is critical not to rule out other vectors of exploitation. As mitigation is employed by defenders and as the situation evolves, Cisco warned that hackers will lookout for new ways to infect and attack web servers.
“Devices present and inspecting various aspects of communications between an attacking system and a victim may also be impacted by this vulnerability, exposing them to possible compromise,” the company said in a blog post.
Amazon Web Services (AWS) said that it is aware of the recently disclosed security issue relating to the open-source Apache “Log4j2″ utility. “We are actively monitoring this issue, and are working on addressing it for any AWS services which either use Log4j2 or provide it to customers as part of their service,” an advisory pushed by Amazon read.
Meanwhile, Amazon believes that upgrading Log4j2 on JDKs will not mitigate the issue. The company said the only comprehensive solution is to upgrade Log4j 2 to 2.15, and any version older than 2.15 should be considered compromised.