A ‘horrifying’ vulnerability in Apache logging library Log4j has been patched, but the threat to business is far from over.
The so-called Log4Shell vulnerability emerged at the beginning of December, when Cisco and Cloudflare identified a huge security flaw in the open source software, built to allow users to keep track of what happens within their apps.
Using the vulnerability, hackers can easily place code onto servers, to then steal user data, head deeper into corporate networks, install cryptominers and launch any number of other attacks.
So worrying was the development that Chief Architect of ExpressVPN, Peter Membrey, likened it to a disaster movie. “As soon as I saw how you could exploit it, it was horrifying,” he told The Verge. “You know what’s coming, but there are very limited things you can do.”
Thankfully, the cyber security industry rallied around after the vulnerability was announced, identifying at-risk applications and potential routes of attack, to try and protect impacted businesses as best they could. Among them was network security provider Cloudflare, which found the threats to be so dangerous that it announced early on that it would offer firewall protection to all its customers free of charge.
Surely enough, a patch was quickly rolled out to close the vulnerability, but unfortunately that doesn’t close the case.
In fact, the ramifications of this weakness could be felt for years to come. Independent security researcher Chris Frohoff told Wired.com that businesses will probably find vulnerable software show up within their custom enterprise apps “for a long time”.
Among the largest systems thought to have been impacted are Microsoft, IBM and Amazon. Outside of the household names there are further worries for software working behind the scenes. The likes of Broadcom, Red Hat and VMware create software on which their clients build their businesses. If these systems are vulnerable, it goes right the way to their clients’ core infrastructure.
The issue has also thrown into stark light the work of a volunteer army, racing to help patch vulnerabilities as quickly as possible. Many of those who worked on Log4Shell were not paid for their time, even though the system is used in huge, multinational systems.
It’s yet to be seen whether some sort of ‘bug bounty’ is provided to those who rallied to patch the system.