Major tech companies struggle to plug holes in logging software

Cisco Systems, IBM, VMware and Splunk were among the companies with multiple pieces of flawed software being used by customers on Thursday without available patches for the Log4j vulnerability, according to a running tally published by the U.S. Cybersecurity and Infrastructure Security Agency.

Logging software is ubiquitous software that tracks activity such as site visits, clicks and chats.

The company efforts underscore the wide reach of the flaw found inside open-source software, described by officials and researchers as the worst flaw they have seen in years.

A researcher for Chinese tech company Alibaba warned the nonprofit Apache Software Foundation early this month that Log4j would not just keep track of chats or clicks, but also follow links to outside sites, which could let a hacker take control of the server.

Apache rushed out a fix for the program. But thousands of other programs use the free logger, and those responsible for them must prepare and distribute their own patches to prevent takeovers. That includes other free software, which is maintained by volunteers, as well as programs from companies big and small, some of which have engineers working around the clock.

“Lots of vendors are without security patches for this vulnerability,” said security threat analyst Kevin Beaumont, who is helping compile the list for CISA. “Software vendors need to have better, and public, inventories around open-source software usage so it is easier to assess risk – both for themselves and their customers.”

Some companies, including Cisco, are updating guidance multiple times daily with confirmation of vulnerabilities, available patches or strategies for mitigating or detecting intrusions when they occur.

As of Thursday, the CISA list included about 20 Cisco products that were vulnerable to attack without a patch available, including Cisco WebEx Meetings Server and Cisco Umbrella, a cloud security product.

But many more were listed as “under investigation” to see if they were vulnerable as well.

“Cisco has investigated over 200 products and approximately 130 are not vulnerable,” a company spokesperson said. “Many affected products have dates available for software patches.”

VMware is steadily updating an advisory on its site with dozens of impacted products, many with critical vulnerabilities and “patch pending.” Some of those without a patch have workarounds to mitigate the holes.

Splunk has a similar list, along with tips for hunting for hackers trying to abuse the flaw.

IBM listed nonvulnerable products but said it “does not confirm or otherwise disclose vulnerabilities externally, even to individual customers, until a fix or remediation is available.” 

Though Microsoft, Mandiant and CrowdStrike have all said they see nation-state attackers from better-equipped U.S. adversaries probing for the Log4j flaw, CISA officials said Wednesday they had not confirmed any successful government-backed attacks or any intrusions inside U.S. government equipment.

(Reporting by Joseph Menn; Editing by Dan Grebler)

Source link

0 0 votes
Article Rating

Notifier de
0 Commentaires
Commentaires en ligne
Afficher tous les commentaires
Reset Password

Avertissement sur les risques :

Le trading peut vous exposer à des risques de pertes supérieures aux dépôts et ne convient qu’à une clientèle avisée ayant les moyens financiers de supporter un tel risque. Les CFD sont des instruments complexes et présentent un risque élevé de perte rapide en capital en raison de l’effet de levier. Entre 74 et 89% des comptes de clients de détail perdent de l’argent lors de la négociation de CFD. Vous devez vous assurer que vous comprenez comment les CFD fonctionnent et que vous pouvez vous permettre de prendre le risque élevé de perdre votre argent. Ce site n’est en aucun cas une offre de conseil en investissement ni une incitation quelconque à acheter ou vendre des instruments financiers. Trader le Forex et/ou les CFD’s implique un niveau de risque élevé, et peut ne pas être approprié car vous pouvez subir des pertes supérieures à votre dépôt. L’effet de levier peut être en votre défaveur.

Vous devez être conscient et avoir une compréhension complète de tous les risques associés au marché et au trading. Le site peut être amené à produire des commentaires d’ordre général, ce qui ne constitue pas des conseils en investissement et ne doit pas être interprété comme tel.

Veuillez recourir aux conseils d’un conseiller financier extérieur. Le site décline toute responsabilité pour les erreurs, inexactitudes ou omissions et ne garantit pas l’exactitude ou le caractère complet des informations, textes, graphiques, liens ou autres éléments contenus dans cette documentation. Toute information et toute mise à disposition sur le site ont un caractère privé.