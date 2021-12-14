



A flaw in Log4j, a Java library for logging error messages in applications, has issued urgent warnings by governments and companies rushing to fix one of the most serious software flaws.

According to Internet infrastructure provider Cloudflare, the Log4j exploit started on December 1st. Since then, several national cybersecurity agencies have issued warnings, including the Cybersecurity and Infrastructure Security Agency (CISA), the National Cyber ​​Security Center (NCSC) in the United Kingdom, and the Federal Government in Germany. Cyber ​​Security Watchdog, BSI.

Obviously, the vulnerability poses a serious risk, CISA director Jen Easterly said in a statement on Friday. According to Easter Lee, urgent steps are being taken to promote mitigation of this vulnerability and detect related threat activity.

She added that vendors need to use this software to instantly identify, mitigate, and patch various products.

What is Log4j?

Log4j is open source software maintained by a group of volunteer programmers as part of the non-profit Apache Software Foundation and is the leading Java logging framework. Through Log4j, which security experts say is used by millions of applications, developers can put it into their applications for monitoring and logging. This helps programmers debug the software.

Apache said in its security advisory that the issue was first published by a security researcher working at the Chinese technology company Alibaba Group Holding Ltd. A flaw in the Log4j software could allow hackers free access to computer systems.

The first exploit was reportedly discovered on December 2, and a patch was released a few days later. A partial fix for this vulnerability was released Friday by Log4j maker Apache.

What are companies doing to fix software abuses?

Leading global companies, including Microsoft Corp and Cisco Inc, are facing pressure to fix what experts call one of the most serious software flaws in memory these days.

Microsoft and Cisco have issued recommendations for this flaw, and software developers released a fix late last week. VMware has also released patches for each of the affected products.

Oracle has also issued a patch for this flaw. “Due to the seriousness of this vulnerability and the disclosure of exploit code on various sites, Oracle strongly recommends that the updates provided by this security alert be applied as soon as possible.”

AWS, which details the impact of flaws on services, says it is working on patching services that use Log4j and has released mitigations for services such as CloudFront.

Having confirmed that Websphere 8.5 and 9.0 are vulnerable, IBM said it is “actively addressing” the Log4j vulnerability across its infrastructure and products.

