[BreachExchange] Log4j security flaw puts the entire internet at risk: What top tech companies are saying

[Terrell Byrd]

https://indianexpress.com/article/technology/tech-news-technology/log4j-vulnerability-log4shell-responses-of-top-companies-google-microsoft-cisco-amazon-7670668/

Services of major tech companies are currently facing what experts are
calling one of the most serious software flaws in recent times—Log4j
vulnerability. The flaw in the Log4j software could allow hackers
unfettered access to computer systems and has prompted an urgent warning by
the US government’s cybersecurity agency.

The new vulnerability affects the widely used library Log4j which was
created by Apache, the most widely used web server. The Log4j vulnerability
allows remote code execution by simply typing a specific string into a
textbox. It was first discovered by Minecraft players but soon it was
realised that this vulnerability wasn’t just a Minecraft exploit, but works
on every program using the Log4j library.

To understand how Log4j functions, check out our recent article where we
dig more about the exploit and its workings. It should be noted that this
bug doesn’t affect all versions of Log4j , and only affects the versions
between 2.0 and 2.14.1.

Interestingly, the Log4j exploit is one of the worst vulnerabilities we
have had in the last 10 years. Here’s how tech companies are responding to
the security flaw that is potentially capable of putting the entire
internet at risk.

Microsoft

Microsoft said Saturday that  Log4j vulnerability, will not only affect
machines that mine cryptocurrencies but can cause more serious problems
such as credential and data theft.

The tech giant said that its threat intelligence teams have been tracking
attempts to exploit the remote code execution (RCE) vulnerability that was
revealed late on Thursday.

In its post, Microsoft said that “at the time of publication, the vast
majority of observed activity has been scanning, but exploitation and
post-exploitation activities have also been observed.”

In a separate blog post, the Microsoft Security Response Center wrote that
its security teams “have been conducting an active investigation of our
products and services to understand where Apache Log4j may be used,” adding
that if the company identifies any customer impact, it will notify them
immediately.

Google

Google Cloud in its security advisory notes that it is actively following
the security vulnerability. “We are currently assessing the potential
impact of the vulnerability for Google Cloud products and services. This is
an ongoing event and we will continue to provide updates through our
customer communications channels.”

The company, like others, has advised all its users who manage environments
containing Log4j to update to the latest version.

VM Ware

VMWare Inc, which makes computer virtualisation software, said Thursday
that several of its products were likely affected by the Java-based Log4j.
The cloud computing company listed all of its products and versions that
are affected by the vulnerability.

The company further noted that as of Saturday, its services are protected
and operational. “Some customers with overly permissive management gateway
firewall rules have had action taken to reduce their exposure from scanning
and exploit activity occurring across the Internet. Those affected have
seen direct communications from VMware,” the company added in its blog post.

All environments are different, have different tolerance for risk, and have
different security controls and defense-in-depth to mitigate risk, related
to Log4j exploit “so the decision on how to proceed is up to you. However,
given the severity, we strongly recommend that you act,” the company
recommends all of its users to update the patch immediately.

CISCO

Cisco Talos observed attacker activity beginning December 2. The company
notes that additional vectors could be used to trigger the vulnerability.

Log4j is commonly used in a wide variety of software running on systems in
addition to traditional web servers, meaning it is critical not to rule out
other vectors of exploitation. As mitigation is employed by defenders and
as the situation evolves, Cisco warned that hackers will lookout for new
ways to infect and attack web servers.

“Devices present and inspecting various aspects of communications between
an attacking system and a victim may also be impacted by this
vulnerability, exposing them to possible compromise,” the company said in a
blog post.

Amazon

Amazon Web Services (AWS) said that it is aware of the recently disclosed
security issue relating to the open-source Apache “Log4j2″ utility. “We are
actively monitoring this issue, and are working on addressing it for any
AWS services which either use Log4j2 or provide it to customers as part of
their service,” an advisory pushed by Amazon read.

Meanwhile, Amazon believes that upgrading  Log4j2 on JDKs will not mitigate
the issue. The company said the only comprehensive solution is to upgrade
Log4j 2 to 2.15, and any version older than 2.15 should be considered
compromised.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211214/d8f54675/attachment.html>