Cisco, IBM, More Major Tech Companies Struggle to Plug Hole in Logging Software Vulnerability

Logging software is ubiquitous software which tracks activity such as site visits, clicks and chats.

By Reuters | Updated: 17 December 2021 11:05 IST

Cisco, IBM, More Major Tech Companies Struggle to Plug Hole in Logging Software Vulnerability

Cisco Systems, IBM, VMware, and Splunk were among the companies with multiple pieces of flawed software

Highlights

The company efforts underscore the wide reach of the flaw
Apache rushed out a fix for the programme
Companies, including Cisco, are updating guidance multiple times daily

Some of the world's largest technology companies are still struggling to make their products safe from a gaping vulnerability in common logging software a week after hackers began trying to exploit it.

Cisco Systems, IBM, VMware, and Splunk were among the companies with multiple pieces of flawed software being used by customers on Thursday without available patches for the Log4j vulnerability, according to a running tally published by the US Cybersecurity and Infrastructure Security Agency.

Logging software is ubiquitous software that tracks activity such as site visits, clicks, and chats.

Cisco Denies Report of Developing Private-Cloud Subscription Service

The company efforts underscore the wide reach of the flaw found inside open-source software, described by officials and researchers as the worst flaw they have seen in years.

A researcher for Chinese tech company Alibaba warned the nonprofit Apache Software Foundation early this month that Log4j would not just keep track of chats or clicks, but also follow links to outside sites, which could let a hacker take control of the server.

Apache rushed out a fix for the programme. But thousands of other programs use the free logger, and those responsible for them must prepare and distribute their own patches to prevent takeovers. That includes other free software, which is maintained by volunteers, as well as programs from companies big and small, some of which have engineers working around the clock.

Webex Video Conferencing App Revamped by Cisco, Targets Virtual Events

"Lots of vendors are without security patches for this vulnerability," said security threat analyst Kevin Beaumont, who is helping compile the list for CISA. "Software vendors need to have better, and public, inventories around open-source software usage so it is easier to assess risk - both for themselves and their customers."

Some companies, including Cisco, are updating guidance multiple times daily with confirmation of vulnerabilities, available patches or strategies for mitigating or detecting intrusions when they occur.

As of Thursday, the CISA list included about 20 Cisco products that were vulnerable to attack without a patch available, including Cisco WebEx Meetings Server and Cisco Umbrella, a cloud security product.

But many more were listed as “under investigation” to see if they were vulnerable as well.

“Cisco has investigated over 200 products and approximately 130 are not vulnerable,” a company spokesperson said. “Many affected products have dates available for software patches.”

VMware is steadily updating an advisory on its site with dozens of impacted products, many with critical vulnerabilities and “patch pending.” Some of those without a patch have workarounds to mitigate the holes.

Splunk has a similar list, along with tips for hunting for hackers trying to abuse the flaw.

IBM listed nonvulnerable products but said it "does not confirm or otherwise disclose vulnerabilities externally, even to individual customers, until a fix or remediation is available.”

Though Microsoft, Mandiant, and CrowdStrike have all said they see nation-state attackers from better-equipped US adversaries probing for the Log4j flaw, CISA officials said Wednesday they had not confirmed any successful government-backed attacks or any intrusions inside US government equipment.

Why does Redmi refresh its phones so soon? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated - see our ethics statement for details.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.