Illustration: Annelise Capossela/Axios
The computing world is struggling this week to contain a significant vulnerability in Log4J, an extremely common piece of open-source code.
Why it matters: Experts say the flaw leaves hundreds of millions of systems vulnerable to attack, with the head of the U.S. government's cybersecurity agency calling it among the biggest threats she has seen in her career.
How it works: An attacker could use he flaw to force an affected system to accept commands from a malicious remote server. According to Sean Gallagher, senior threat researcher at Sophos, that could include commands to download and install all manner of code in vulnerable systems, including cryptocurrency miners or other malicious software.
- Given the flawed code's prevalence, experts say that, for most large businesses and government agencies, it is not a question of whether they are affected, but rather how many different systems have been affected.
Catch-up quick: Log4J is an open-source library included in a range of software, services and hardware, such as networking gear from companies including Amazon, Broadcom and Cisco. It tracks what activities are taking place in the code, as well as keep tabs on various communications, requests and errors, according to Gallagher.
- Like many pieces of open-source code, Log4J is maintained by a relatively small team but, thanks to its broad license, has been widely adopted by developers, Gallagher said.
- As Bloomberg details, the flaw was discovered last month by workers at Alibaba, who reported it to the team at the nonprofit Apache Software Foundation, whose volunteers maintain Log4J. That set off a race to close the vulnerability and a patch was released earlier this month.
Between the lines: The key now is identifying and patching all the systems at risk. Complicating the task is the fact many governments, businesses and consumers probably are unaware if they own products using the code.
- "Organizations often have no idea that these libraries are part of their applications, especially if they were developed by third parties who may or may not support them after deployment," Gallagher said.
- The Cybersecurity and Infrastructure Security Agency (CISA) is working to develop a comprehensive list of all the products that include the affected code and encouraging security researchers to share details on any products they believe are infected.
The big picture: In a call with reporters on Tuesday, CISA deputy director Eric Goldstein said that the flaw is "extremely concerning" due to how widely Log4J is used, how easy it is to exploit and that it can allow information to be taken off of targeted systems.
- So far the visible impact from the flaw has been modest, but experts don't expect that to stay the case.
- “With the exception of cryptomining, there's a lull before the storm," Gallagher said. "We expect adversaries are likely grabbing as much access to whatever they can right now with the view to monetize and capitalize on it later."
- That said, there have already been hundreds of thousands of individual attacks, with more expected, per CheckPoint.
Go deeper: CISA has more information on the flaw here, including known vulnerable products and mitigation guidance.