Cybersecurity officials are urging federal agencies and infrastructure companies to take action against a recently-discovered coding vulnerability in a common software tool that threatens to compromise millions of devices.
The vulnerability, known as Log4Shell, is found in an open-source software tool called Log4J that is used by almost every major cloud service provider and enterprise software firm, according to cybersecurity firm CrowdStrike. Hackers can exploit the flaw to gain access to a company’s internal networks, allowing them to steal data, destroy information and take control of a company’s systems.
“We have added this vulnerability to our catalog of known exploited vulnerabilities, which compels federal civilian agencies — and signals to non-federal partners — to urgently patch or remediate this vulnerability,” Jen Easterly, head of the Cybersecurity Infrastructure and Security Agency (CISA), said in a statement Saturday, shortly after the flaw was discovered.
🚨All orgs should upgrade to log4j version 2.15.0 or apply appropriate vendor recommended mitigations ASAP!⁰⁰Read my full statement on this vulnerability: https://t.co/zLoXaTyqgt https://t.co/ht2vqCYdBG
— Jen Easterly (@CISAJen) December 11, 2021
The vulnerability could affect potentially “hundreds of millions” of devices, Eric Goldstein, executive assistant director of cybersecurity at CISA, told reporters. However, the agency has yet to detect any major attacks on infrastructure or federal authorities. (RELATED: Foreign Hackers Stole Information From Defense Contractors, Researchers Say)
CISA issued a notice Wednesday informing critical infrastructure companies to take immediate steps to strengthen their computer network defenses against potential malicious cyber attacks. Easterly and other CISA officials also held a call with the heads of several critical infrastructure firms Monday to explain the severity of the issue and to urge immediate action.
“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” Easterly said in the meeting, according to CyberScoop. “The issue is an unauthenticated remote execution vulnerability that could allow an intruder to take over an affected device.”
Easterly reportedly said that the vulnerability “is one of the most serious I’ve seen in my entire career, if not the most serious.”
Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact [email protected].