US warns Log4j flaw puts hundreds of millions of devices at risk

US cybersecurity officials stress how complicated fixing the Log4j vulnerability will be.
Written by Liam Tung, Contributing Writer

Top US government cybersecurity officials fear advanced hackers will have a field day with the Log4j vulnerability that's likely present in hundreds of millions of devices. 

Security experts are already seeing widespread scanning for the Log4j vulnerability (also dubbed 'Log4Shell') on internet-connected devices running vulnerable versions of Log4j version 2, which have been under attack since December 1, although the bug became common knowledge on December 9

So far, Microsoft has seen attackers compromise machines to install coin miners, the Cobalt Strike pen-testing framework to enable credential theft and lateral movement, and exfiltration of data from compromised systems.


These attacks appear to be opportunistic cyber-criminal activity thanks to its ease of exploitation, but top officials at the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) fear "sophisticated actors" will also pounce on the bug soon. 

"This vulnerability is one of the most serious that I've seen in my entire career, if not the most serious," Jen Easterly, director of CISA said in a call shared with CNN. Easterly has spent 20 years in various federal cybersecurity roles.

"We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage," she said. The call, with US critical infrastructure owners and operators, was first reported by CyberScoop.  

Jay Gazlay of CISA's vulnerability management office warned that hundreds of millions of devices are likely to be affected.

Log4J is a popular Java library for logging error messages in applications. It's vulnerable to a critical flaw, tracked as CVE-2021-44228, that lets any remote attacker take control of another device on the internet, if it's running Log4J versions 2.0 to 2.14.1. 

The remotely exploitable flaw is present in hundreds of major enterprise products, from the likes of Oracle, Cisco, RedHat, IBM, VMware and Splunk, and cloud features from Amazon Web Services and Microsoft Azure, as well as security appliances and developer tools. Google Cloud is investigating the impact of the Log4j bug on its products and services, and is working with VMware to deploy fixes to the Google Cloud VMware Engine. Google has updated WAF rules to defend against Log4j attacks.  

The Apache Software Foundation has released version 2.15.0 to address the flaw, but product vendors still need to apply the fix in their products and then end-user customers need to update their devices once their vendor's fix becomes available.          

The flaw highlights known risks arising from software supply chains when a key piece of software is used within multiple products across multiple vendors and deployed by their customers around the world.


It's not a simple fix to address all vulnerable devices. As Sans Internet Storm Center notes: "There is no generic 'log4j2' patch to patch everything. In some cases, vendors including Log4j, need to patch their software to include the new version."

Rapid7 had a similar warning: "Organizations should be prepared for a continual stream of downstream advisories from third-party software producers who include Log4j among their dependencies."

SEE: Hackers are turning to this simple technique to install their malware on PCs

Rapid7 itself has been investigating its products' exposure to the Log4j bug and has deployed server-side fixes for several affected products. 

Historically slow uptake of new security patches means attackers will likely have months if not years to find and exploit vulnerable devices, security experts warned this week

The Log4j bug is internet-wide, prompting advisories from AustraliaNew Zealand, Canada, the UK, Sweden, Germany, Singapore, and elsewhere. Canada's Revenue Agency took some services offline on Friday after learning of the flaw, according to CBC.  

Editorial standards