The Log4j Security Flaw Could Impact The Whole Internet. Here's What You Need Be Aware Of

Washington Foss

3 min read
The Log4j Security Flaw Could Impact The Whole Internet. Here's What You Need Be Aware Of


"It will take years to address this, and attackers will be watching... on daily basis to take advantage of itand exploit it]," said David Kennedy, CEO of cybersecurity firm TrustedSec. "This is a real threat for businesses."



Here are some of the things you need to know:



Log4j What is it, and why is it so important?



Log4j is one of the most popular logging libraries online according to cybersecurity experts. Log4j offers software developers a way to build an inventory of activities that can be used to serve a variety of functions, such as troubleshooting, auditing , and data tracking. The library is free and open-source which means it can be used in any area of the internet.



"It's ubiquitous. Even if you're not a developer who doesn't use Log4j directly, you might still be running the vulnerable code because one of the open source libraries you use depends on Log4j," Chris Eng the chief research officer of cybersecurity firm Veracode, told CNN Business. "This is the nature of software: It's turtles all the way down."



The software is used by corporations like Apple, IBM and Oracle, Cisco, Google, Amazon, and Cisco. It could be used on popular websites and apps, and hundreds of millions of devices around the world which access these services could be vulnerable to the vulnerability.



Are hackers exploiting it?



According to cybersecurity firm Cloudflare the attackers appear to have had more time than a week to exploit the software flaw before it was disclosed. With the number of hacking attempts occurring every day, many are worried that the most severe attack is still to come.



"Sophisticated threat actors will figure out how to effectively exploit the vulnerability to gain the greatest benefit," Mark Ostrowski, Check Point's director of engineering, said Tuesday.



Late on Tuesday night, Microsoft said in an update to a blog post that state-backed hackers from China, Iran, North Korea and Turkey have tried to exploit the Log4j vulnerability.



What makes this security flaw so risky?



Experts are particularly concerned about the vulnerability as hackers are able to gain access to a company's computer servers and gain access to other areas of a network. It's also very hard to find the vulnerability, or determine whether a system has been compromised according to Kennedy.



Another vulnerability was discovered in Log4j's software on Tuesday night. The Apache Software Foundation, a non-profit that developed Log4j, and other open-source software, has released a security patch for companies.



What are the strategies being employed by companies to tackle this issue?



Last week, Minecraft published a blog post announcing a vulnerability was discovered in a particular version of its game -- and promptly released a fix.  F-email.org  have taken similar steps.



US warns that hundreds of millions of devices are at risk because of a newly discovered software vulnerability



Customers have received advisory letters from IBM, Oracle, AWS, Cloudflare, and AWS. Some issue security updates, whereas others detail their plans for future patches.



"This is a major bug however, you can't hit the button to fix it like a traditional major vulnerability." Kennedy stated that it will require a lot of work and time.



To ensure transparency and reduce false information, CISA said it would establish a website that will provide updates on which software products were affected by the flaw and how hackers exploited the vulnerabilities.



What can you do to ensure your security?



Companies are under a lot of pressure to act. At present, it is recommended to make sure to update devices, software and apps when companies give prompts in the coming days and weeks.



What's next?



The US government has warned affected businesses to be on guard for ransomware attacks and cyberattacks during the holidays.



There is concern that an increasing number of malicious actors will make use of the vulnerability in new ways. While large technology companies may have the security teams in place to combat these threats However, many other organizations don't.



"What I'm most concerned about is schools, the hospitals those places where there's a single IT person in charge of security but doesn't have the time or the budget for security or tools," said Katie Nickels, Director of Intelligence at cybersecurity company Red Canary. "Those are the organizations I'm most worried about -small-sized organizations with tiny budgets for security."

Sign up for more like this.

Enter your email
Subscribe