Cisco Systems, IBM, VMware, and Splunk were among the
companies with multiple pieces of flawed software being used by customers on
Thursday without available patches for the Log4j vulnerability, according to a
running tally published by the US Cybersecurity and Infrastructure Security
Agency.
Logging software is ubiquitous software that tracks activity
such as site visits, clicks, and chats.
The company efforts underscore the wide reach of the flaw
found inside open-source software, described by officials and researchers as
the worst flaw they have seen in years.
A researcher for Chinese tech company Alibaba warned the
nonprofit Apache Software Foundation early this month that Log4j would not just
keep track of chats or clicks, but also follow links to outside sites, which
could let a hacker take control of the server.
Apache rushed out a fix for the programme. But thousands of
other programs use the free logger, and those responsible for them must prepare
and distribute their own patches to prevent takeovers. That includes other free
software, which is maintained by volunteers, as well as programs from companies
big and small, some of which have engineers working around the clock.
"Lots of vendors are without security patches for this
vulnerability," said security threat analyst Kevin Beaumont, who is
helping compile the list for CISA. "Software vendors need to have better,
and public, inventories around open-source software usage so it is easier to
assess risk - both for themselves and their customers."
Some companies, including Cisco, are updating guidance
multiple times daily with confirmation of vulnerabilities, available patches or
strategies for mitigating or detecting intrusions when they occur.
As of Thursday, the CISA list included about 20 Cisco
products that were vulnerable to attack without a patch available, including
Cisco WebEx Meetings Server and Cisco Umbrella, a cloud security product.
But many more were listed as “under investigation” to see if
they were vulnerable as well.
“Cisco has investigated over 200 products and approximately
130 are not vulnerable,” a company spokesperson said. “Many affected products
have dates available for software patches.”
VMware is steadily updating an advisory on its site with dozens
of impacted products, many with critical vulnerabilities and “patch pending.”
Some of those without a patch have workarounds to mitigate the holes.
Splunk has a similar list, along with tips for hunting for
hackers trying to abuse the flaw.
IBM listed nonvulnerable products but said it "does not
confirm or otherwise disclose vulnerabilities externally, even to individual
customers, until a fix or remediation is available.”
Though Microsoft, Mandiant, and CrowdStrike have all said
they see nation-state attackers from better-equipped US adversaries probing for
the Log4j flaw, CISA officials said Wednesday they had not confirmed any
successful government-backed attacks or any intrusions inside US government
equipment. © Reuters
0 comments:
Post a Comment