Companies Rush to Fix Software Exploit After U.S. Warning

cyber crime
A person types at a keyboard. Photo: Getty Images.
December 12, 2021
Bloomberg

Major global companies are facing pressure to fix what experts are calling one of the most serious software flaws in recent memory. 

The flaw in the Log4j software could allow hackers unfettered access to computer systems and has prompted an urgent warning by the U.S. government’s cybersecurity agency. 

Microsoft Corp. and Cisco Inc. have published advisories about the flaw, and software developers released a fix late last week. But a solution depends on thousands of companies putting the fix in place before it is exploited.  

“This is probably the worst security vulnerability in at least the last 10 years — maybe longer,” said Charles Carmakal, the chief technology officer for cybersecurity firm Mandiant Inc. He said Mandiant received requests from several major companies in the last few days for help.

Alibaba Group’s cloud-security team recently discovered the flaw, according to the nonprofit Apache Software Foundation, which maintains Log4j. 

The vulnerability effectively allows hackers to take control of a system. Because the faulty computer code is baked into software of all sorts, updating it is a painstaking process. 

“To be clear, this vulnerability poses a severe risk,” Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, said in a statement Friday. Vendors “must immediately identify, mitigate, and patch the wide array of products using this software,” she said.

Watch: Why Should the Supply Chain Care About Cybersecurity?

VMWare Inc., which makes computer-virtualization software, said Thursday that several of its products were likely affected by the Java-based Log4j.

Amit Yoran, the CEO of Tenable Inc., which makes widely used vulnerability-scanning software, said the Log4j flaw is so ubiquitous that, among customers running Tenable’s scanning products, at least three systems a second are reporting they’re affected. 

“We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity,” Easterly said, adding that CISA has cataloged the vulnerability — requiring U.S. federal civilian agencies to fix it promptly. As of Saturday, the agency hasn’t identified compromises in federal systems.

RELATED CONTENT

RELATED VIDEOS

Technology Data Management (Big Data/IoT/Blockchain) Cloud & On-Demand Systems SC Security & Risk Mgmt
Bloomberg

Trucker Vaccine Rule Is Making Freight and Fruit Pricier

More from this author

Popular Stories

Digital Edition

Scb nov 2021 sm

Supply Chain Innovation Today: Not a Choice, But an Imperative

VIEW THE LATEST ISSUE

Case Studies

6 River Systems Alithya Aptos
Armada aThingz Augury
Blue Yonder BNSF Logistics Burris Logistics
eMoldino Flash Global Generix
Genpact Geodis GEP
GreyOrange Here Honeywell Corporate
Honeywell Intelligrated Infor Inmar
Keelvar Kibo Commerce Kinaxis
Lucas Systems MacGregor Old Dominion
OneRail OpenSky NetSuite
Paccurate Quickbase S&H Systems
SAP Ariba Sealed Air Seegrid
Setlog Holding AG Ship4WD Snapfulfil
Tecsys TGW Systems Thomson Reuters
Tradepoint Atlantic Vecna Robotics Watson Land Company
Westfalia Technologies Whiplash Yang Ming