Widely Used Software With Log4j Vulnerability Sends Cyber Defenders Scrambling

The Apache Log4j Remote Code Execution Vulnerability is said to be the “single biggest, most critical vulnerability” of the last decade.

Advertisement
By Reuters | Updated: 14 December 2021 18:11 IST
Highlights
  • Log4j comes from a popular open-source product
  • US government warned the private sector about Log4j and its risks
  • A partial fix for the vulnerability was released on Friday by Apache

The US government sent a warning to the private sector about the Log4j vulnerability

A newly discovered vulnerability in a widely used software library is causing mayhem on the Internet, forcing cyber defenders to scramble as hackers rush to exploit the weakness. The vulnerability, known as Log4j, comes from a popular open-source product that helps software developers track changes in applications that they build. It is so popular and embedded across many companies' programs that security executives expect widespread abuse.

"The Apache Log4j Remote Code Execution Vulnerability is the single biggest, most critical vulnerability of the last decade," said Amit Yoran, chief executive of Tenable, a network security firm, and the founding director of the US Computer Emergency Readiness Team. The US government sent a warning to the private sector about the Log4j vulnerability and the looming risk it poses on Friday.

Advertisement

In a conference call on Monday, the leader of CISA said it was one of the worst vulnerabilities seen in many years. She urged companies to have staff working through the holidays to battle those using new methods to exploit the flaw.

Much of the software affected by Log4j, which bears names like Hadoop or Solr, may be unfamiliar to the public at large. But as with the SolarWinds program at the center of a massive Russian espionage operation last year, the ubiquity of these workhorse programs makes them ideal jumping-off points for digital intruders.

Juan Andres Guerrero-Saade, the principal threat researcher with cybersecurity firm SentinelOne, called it "one of those nightmare vulnerabilities that there's pretty much no way to prepare for." While a partial fix for the vulnerability was released on Friday by Apache, the maker of Log4j, affected companies and cyber defenders will need time to locate the vulnerable software and properly implement patches. Log4j itself is maintained by a few volunteers, security experts said.

In practice, the flaw allows an outsider to enter active code into the record-keeping process. That code then tells the server hosting the software to execute a command giving the hacker control. The issue was first publicly disclosed by a security researcher working for Chinese technology company Alibaba Group Holding Ltd, Apache noted in its security advisory.

Advertisement

It is now apparent that initial exploitation was spotted on December 2, before a patch rolled out a few days later. The attacks became much more widespread as people playing Minecraft used it to take control of servers and spread the word in gaming chats.

So far no major disruptive cyber incidents have been publicly documented as a result of the vulnerability, but researchers are seeing an alarming uptick in hacking groups trying to take advantage of the bug for espionage. "We also expect to see this vulnerability in everyone's supply chain," said Chris Evans, chief information security officer at HackerOne.

Advertisement

Multiple botnets, or groups of computers controlled by criminals, were also exploiting the flaw in a bid to add more captive machines, experts tracking the developments said.

What many experts now fear is that the bug could be used to deploy malware that either destroys data or encrypts it, like what was used against U.S. pipeline operator Colonial Pipeline in May which led to shortages of gasoline in some parts of the United States. Guerrero-Saade said his firm had already seen Chinese hacking groups moving to take advantage of the vulnerability.

Advertisement

The US cybersecurity firms Mandiant and Crowdstrike also said they found sophisticated hacking groups leveraging the bug to breach targets. Mandiant described those hackers as "Chinese government actors" in an email to Reuters.


Will Snapdragon's new 2022 chips make it more prominent as a brand? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. Everything We Know About the Nothing Phone 4b
  2. Best Camera Phones Under Rs. 30,000 for Content Creators in India
  3. Amazon Prime Day 2026: Best Deals on iQOO Smartphones
  4. Amazon Prime Day 2026: 55-inch Smart TV Deals from Lumio, Samsung and More
  1. Amazon Prime Day 2026 Laptop Deals: Best Discounts on HP, Asus, Lenovo, Dell, Acer Models
  2. Best Camera Phones Under Rs. 30,000 for Content Creators in India: Motorola Edge 70 Fusion, Galaxy F56, More
  3. Boat Stone 900 Launched in India With Up to 80W Sound Output, Up to 15 Hours Audio Playback: Price, Features
  4. Cyberpunk 2077 Has Sold 40 Million Copies, CD Projekt Red Confirms
  5. Nothing Phone 1 Receives Final Software Update With Latest Security Patches, Bug Fixes and Improvements
  6. Nokia 235 4G (2026), 215 4G (2026) Launched Alongside Nokia 210 4G, and 200 4G With AI Assistant Button
  7. Samsung Galaxy S27 Ultra Battery Details Leaked; Could Top iPhone 18 Pro Max's Battery Capacity
  8. OnePlus Ace 7 Series Tipped to Feature 185Hz Display, 9,000mAh Battery
  9. WhatsApp Rolls Out Primary Device Support on iPad, Tests New Setup Screen for Android Tablets: Report
  10. Government Directs App Stores to Remove Malicious Apps Used to Disrupt E-Rickshaw Operations: Report
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.