Companies rush to fix software exploit after US agency warning

The flaw in the Log4j software could allow hackers unfettered access to computer systems. PHOTO: UNSPLASH

NEW YORK (BLOOMBERG) - Major global companies are facing pressure to fix what experts are calling one of the most serious software flaws in recent memory.

The flaw in the Log4j software could allow hackers unfettered access to computer systems and has prompted an urgent warning by the United States government's cyber-security agency.

Microsoft and Cisco have published advisories about the flaw, and software developers released a fix late last week. But a solution depends on thousands of companies putting the fix in place before it is exploited.

"This is probably the worst security vulnerability in at least the last 10 years - maybe longer," said Mr Charles Carmakal, the chief technology officer for cyber-security firm Mandiant. He said Mandiant received requests from several major companies in the last few days for help.

Alibaba Group's cloud-security team recently discovered the flaw, according to the non-profit Apache Software Foundation, which maintains Log4j. The vulnerability effectively allows hackers to take control of a system. Because the faulty computer code is baked into software of all sorts, updating it is a painstaking process.

"To be clear, this vulnerability poses a severe risk," Ms Jen Easterly, director of the US Cybersecurity and Infrastructure Security Agency (CISA), said in a statement Friday (Dec 10). Vendors "must immediately identify, mitigate, and patch the wide array of products using this software", she said.

VMWare, which makes computer-virtualisation software, said Thursday that several of its products were likely affected by the Java-based Log4j.

Mr Amit Yoran, the chief executive officer of Tenable, which makes widely used vulnerability-scanning software, said the Log4j flaw is so ubiquitous that, among customers running Tenable's scanning products, at least three systems a second are reporting they are affected.

"We are taking urgent action to drive mitigation of this vulnerability and detect any associated threat activity," Ms Easterly said, adding that CISA has catalogued the vulnerability - requiring US federal civilian agencies to fix it promptly.

As of Saturday, the agency has not identified compromises in federal systems.

Join ST's Telegram channel and get the latest breaking news delivered to you.