Log4j is Impacting the Technology Supply Chain
A major vulnerability is impacting software companies creating a supply chain nightmare for companies - Cybersecurity researchers warn over attackers scanning for vulnerable systems to steal user credentials and install malware
Log4j logging framework has software companies across the globe are scrambling to patch a vulnerability that could impact and expose data across large and small software companies. Similar to SolarWinds, third-party networks can be impacted exposing sensitive data triggering incident response plans into action and breach notification to clients, regulators, and insurance companies.
Hackers are already attempting to exploit it, but even as fixes emerge, researchers warn that the flaw could have serious repercussions worldwide as many mainstream product and services will be impacted.
“It's a design failure of catastrophic proportions,” says Free Wortley, CEO of the open source data security platform LunaSec. “It's pretty dang bad,” says Wortley. “So many people are vulnerable, and this is so easy to exploit. There are some mitigating factors, but this being the real world there will be many companies that are not on current releases that are scrambling to fix this.”
Log4j is a Java library, and while the programming language is in very broad use in enterprise systems and web apps. The Log4j flaw (also now known as "Log4Shell") is a zero-day vulnerability (CISA Notice) that first came to light on December 9, with warnings that it can allow unauthenticated remote code execution and access to servers.