Major tech companies struggle to plug holes in logging software

FILE PHOTO: An illustration picture shows a projection of binary code on a man holding a laptop computer, in an office in Warsaw June 24, 2013. REUTERS/Kacper Pempel/File Photo

SAN FRANCISCO (Reuters) - Some of the world’s largest technology companies are still struggling to make their products safe from a gaping vulnerability in common logging software a week after hackers began trying to exploit it.

Cisco Systems, IBM, VMware and Splunk were among the companies with multiple pieces of flawed software being used by customers on Thursday without available patches for the Log4j vulnerability, according to a running tally published by the U.S. Cybersecurity and Infrastructure Security Agency.

Logging software is ubiquitous software that tracks activity such as site visits, clicks and chats.

The company efforts underscore the wide reach of the flaw found inside open-source software, described by officials and researchers as the worst flaw they have seen in years.

A researcher for Chinese tech company Alibaba warned the nonprofit Apache Software Foundation early this month that Log4j would not just keep track of chats or clicks, but also follow links to outside sites, which could let a hacker take control of the server.

Apache rushed out a fix for the program. But thousands of other programs use the free logger, and those responsible for them must prepare and distribute their own patches to prevent takeovers. That includes other free software, which is maintained by volunteers, as well as programs from companies big and small, some of which have engineers working around the clock.

"Lots of vendors are without security patches for this vulnerability," said security threat analyst Kevin Beaumont, who is helping compile the list for CISA. "Software vendors need to have better, and public, inventories around open-source software usage so it is easier to assess risk - both for themselves and their customers."

Some companies, including Cisco, are updating guidance multiple times daily with confirmation of vulnerabilities, available patches or strategies for mitigating or detecting intrusions when they occur.

As of Thursday, the CISA list included about 20 Cisco products that were vulnerable to attack without a patch available, including Cisco WebEx Meetings Server and Cisco Umbrella, a cloud security product.

But many more were listed as “under investigation” to see if they were vulnerable as well.

“Cisco has investigated over 200 products and approximately 130 are not vulnerable,” a company spokesperson said. “Many affected products have dates available for software patches.”

VMware is steadily updating an advisory on its site with dozens of impacted products, many with critical vulnerabilities and “patch pending.” Some of those without a patch have workarounds to mitigate the holes.

Splunk has a similar list, along with tips for hunting for hackers trying to abuse the flaw.

IBM listed nonvulnerable products but said it "does not confirm or otherwise disclose vulnerabilities externally, even to individual customers, until a fix or remediation is available.”

Though Microsoft, Mandiant and CrowdStrike have all said they see nation-state attackers from better-equipped U.S. adversaries probing for the Log4j flaw, CISA officials said Wednesday they had not confirmed any successful government-backed attacks or any intrusions inside U.S. government equipment.

(Reporting by Joseph Menn; Editing by Dan Grebler)

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 1
Cxense type: free
User access status: 3
Subscribe now to our Premium Plan for an ad-free and unlimited reading experience!


Next In Tech News

India market regulator mandates enhanced disclosure norms for IPO-bound companies
UK's MI5 website briefly hit by denial of service attack - BBC
Ericsson wins Greenland 5G deal
Telecoms industry eager for Mexican regulator to adopt speedy Wi-Fi 6
Elon Musk set to showcase Tesla's humanoid robot after delay
Concern over 'diet pills' being promoted on TikTok
Saudi Arabia outlines plans to invest US$38bil in esports
Man pretends to be his son to ask teen girls for nude photos on Instagram, US cops say
Japan's Kioxia to cut wafer input volume for flash chip production by 30% at two plants
Makeshift WiFi spot reconnects shattered Ukraine city

Others Also Read