A Log4J Vulnerability Has Set the Internet ‘On Fire’

The United States Cybersecurity and Infrastructure Security Agency issued an alert about the vulnerability on Friday, as did Australia’s CERT. New Zealand’s government cybersecurity organization alert noted that the vulnerability is reportedly being actively exploited.

“It’s pretty dang bad,” says Wortley. “So many people are vulnerable, and this is so easy to exploit. There are some mitigating factors, but this being the real world there will be many companies that are not on current releases that are scrambling to fix this.”

Apache rates the vulnerability at “critical” severity and published patches and mitigations on Friday. The organization says that Chen Zhaojun of Alibaba Cloud Security Team first disclosed the vulnerability.

The situation underscores the challenges of managing risk within interdependent enterprise software. As Minecraft did, many organizations will need to develop their own patches or will be unable to patch immediately because they are running legacy software, like older versions of Java. Additionally, Log4j is not a casual thing to patch in live services because if something goes wrong an organization could compromise their logging capabilities at the moment when they need them most to watch for attempted exploitation.

There’s not much that average users can do, other than install updates for various online services whenever they’re available; most of the work to be done will be on the enterprise side, as companies and organizations scramble to implement fixes.

“Security-mature organizations will start trying to assess their exposure within hours of an exploit like this, but some organizations will take a few weeks, and some will never look at it,” a security engineer from a major software company told WIRED. The person asked not to be named because they are working closely with critical infrastructure response teams to address the vulnerability. “The internet is on fire, this shit is everywhere. And I do mean everywhere.”

While incidents like the SolarWinds hack and its fallout showed how wrong things can go when attackers infiltrate commonly used software, the Log4j meltdown speaks more to how widely the effects of a single flaw can be felt if it sits in a foundational piece of code that is incorporated into a lot of software.

“Library issues like this one pose a particularly bad supply chain scenario for fixing,” says Katie Moussouris, founder of Luta Security and a longtime vulnerability researcher. “Everything that uses that library must be tested with the fixed version in place. Having coordinated library vulnerabilities in the past, my sympathy is with those scrambling right now.”

For now, the priority is figuring out how widespread the problem truly is. Unfortunately, security teams and hackers alike are working overtime to find the answer. 

More Great WIRED Stories


Leave a Reply

Your email address will not be published.

Back to top