Corporate security executives say they hurried over the weekend to assess whether and how their computer networks use the software, Log4j, while waiting for vendors to disclose the risk to their own technologies and issue software updates to mitigate the threat. The bug was disclosed Thursday.
Log4j is used on computer servers to keep records of users’ activities so they can be reviewed later by security or software development teams. The nonprofit Apache Software Foundation, a group that distributes the open-source tool at no cost, has said it has been downloaded millions of times.
The flaw is particularly dangerous given the widespread use of Log4j on corporate networks and the ease with which hackers could exploit the vulnerability, security experts say. Attackers could use the bug to break into computer networks to steal sensitive data, prepare for ransomware attacks, or create backdoors that will allow them to maintain access to corporate systems even after the flawed software has been patched.
The Log4j framework is used in at least 250,000 open-source software projects cataloged by Fortress Information Security, which analyzes suppliers to critical-infrastructure businesses including power companies and defense contractors, said Tony Turner, vice president of security solutions. Developers sometimes build software atop existing tools without fully understanding the underlying code, he said, potentially obscuring flaws such as the Log4j vulnerability.
It could take many tech vendors a week or two to patch software affected by the vulnerability, Mr. Turner said. “But let’s look at the calendar, what’s happening in two weeks? Christmas,” he said. “It’s quite likely we won’t see any concerted patching efforts till the new year.”
The vulnerability poses the latest threat to the supply chains that help the digital economy run, already under scrutiny from companies and governments since Russian hackers allegedly breached U.S. agencies through a compromised SolarWinds Corp. tool last year.
U.S. officials in recent days called on suppliers affected by the Log4j vulnerability to update their software and contact customers. The Cybersecurity and Infrastructure Security Agency said it would hold an emergency call Monday afternoon to share more information with critical infrastructure operators. CISA didn’t respond to a request for additional comment.
Experts say they expect a ransomware attack using the vulnerability to happen soon.
“I think it’s a matter of hours before we see this,” said Arijo Nazari Azari, chief information security officer of Evonik Industries AG. Mr. Azari on Monday said the German chemical company’s security team spent the weekend working to pinpoint vulnerabilities across its information-technology infrastructure. His team first scanned internet-facing systems before moving to internal platforms.
Evonik shut down an online learning platform for employees as a precaution after identifying the Log4j software in the platform’s software stack, he said.
“If you exploit this kind of vulnerability, you could really harm companies and also ruin the reputation of the vendor,” Mr. Azari said.
The pervasiveness of the logging software has allowed the bug to have a ripple effect across tightly connected digital supply chains, cybersecurity experts say, leaving some companies rushing to take stock of their vendors’ tools and security measures.
Some vendors to Milwaukee, Wis.-based Rockwell Automation Inc., which makes industrial automation products, proactively told Rockwell about their exposure to the Log4j flaw, said Dawn Cappelli, the company’s CISO. Ms. Cappelli recommended that security teams at other companies continue contacting suppliers that have yet to share such information and ensure businesses that have been acquired but operate independently conduct similar reviews.
“Make sure they are all doing the same thing you are,” Ms. Cappelli added.
Large technology suppliers issued a string of alerts after the Apache Software Foundation notified its user community of the flaw on Thursday.
Amazon.com Inc. said it is investigating the issue, while Microsoft Corp. told customers that “attackers are probing all endpoints for vulnerability.” Software providers that include Log4j in their products, such as International Business Machines Corp. and VMware Inc., have said they are deploying patches.
Allie Mellen, a cybersecurity analyst at Forrester Research Inc., urged companies to remove sensitive data from products or services that contain the Log4j flaw in the interim.
“It’s basically a hole in the enterprise that attackers can get into very easily,” she said. “It puts a lot of pressure on those incident responders to really make sure they’re looking at everything that’s affecting those systems.”
