Cisco, IBM, Many other big tech companies are fighting to plug the hole in the logging software vulnerability

Some of the world’s biggest tech companies are still struggling to make their products safe from a vulnerability in common note-taking software a week after hackers began trying to exploit it.

Cisco system, IBM, VMwareand Splunk were among a number of companies with multiple faulty software used by customers as of Thursday for which patches for the Log4j vulnerability were not available, according to a tally being conducted by the Cybersecurity and Foundations Authority. US infrastructure announced.

Logging software is popular for tracking activity like website visits, clicks and chats.

The company’s efforts highlight the wide range of vulnerabilities found inside open source software, described by officials and researchers as the worst they’ve seen in years.

A researcher for the Chinese tech company Alibaba warned the nonprofit Apache Software Foundation earlier this month that Log4j will not only track chats or clicks, but will also track links to websites. external website, which could allow hackers to take control of the server.

Apache rushed to issue a fix for the program. But thousands of other programs use free loggers, and those responsible for them must prepare and distribute their own patches to prevent hijacking. That includes other free software, maintained by volunteers, as well as programs from companies large and small, some with engineers working around the clock.

“A lot of vendors don’t have security patches for this vulnerability,” said threat analyst Kevin Beaumont, who is helping to compile the list for CISA. “Software vendors need to have better and public inventories around the use of open source software to make it easier to assess risk – for both themselves and their customers.”

Some companies, including Cisco, are updating the guide several times a day with confirmation of vulnerabilities, available patches, or strategies to mitigate or detect intrusions as they occur. out.

As of Thursday, the CISA list included about 20 Cisco products that were vulnerable without a patch, including the Cisco WebEx Meeting Server and Cisco Umbrella, a cloud security product.

But many others are listed as “under investigation” to see if they are vulnerable.

A company spokesperson said: “Cisco investigated more than 200 products and about 130 products were not vulnerable. “Many affected products have availability dates for software patches.”

VMware is regularly updating an advisory on its website with dozens of affected products, many with critical vulnerabilities and “patches pending.” Some of them are not patched with workarounds to mitigate the vulnerabilities.

Splunk has a similar list, along with tips for hunting down hackers trying to abuse the vulnerability.

IBM listed the products as unrepairable but said it “does not confirm or disclose the vulnerabilities to the outside world, even to individual customers, until a fix or action is taken.” overcome”.

Although Microsoft, Mandiant, and CrowdStrike have all said they see nation-state attackers from better-equipped US rivals probing the Log4j vulnerability, CISA officials said Wednesday that they have not confirmed any any successful government-backed attack or any intrusion into U.S. government equipment.

© Thomson Reuters 2021