The US revealed new software vulnerability and warned that hundreds of millions of devices are at risk and hackers are actively exploiting the vulnerability.
An open source software maintained by a group of volunteer programmers as part of the nonprofit Apache Software Foundation and a key Java-logging framework, Log4j exploits has started from December 1st.
Since then, warnings have been issued by several national cyber security agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the UK's National Cyber Security Centre (NCSC) and Germany's federal cybersecurity watchdog, the BSI.
The vulnerability is in Java-based software known as "Log4j" that large organizations, including some of the world's biggest tech firms, use to log information in their applications. Tech giants like Amazon Web Services and IBM have moved to address the bug in their products.
Experts believed that it could take weeks to address the vulnerabilities and that suspected Chinese hackers are already attempting to exploit them.
It offers a hacker a relatively easy way to access an organization's computer server. From there, an attacker could devise other ways to access systems on an organization's network.
The Apache Software Foundation, which manages the Log4j software, has released a security fix for organizations to apply.
What is Log4j?
Log4j is open-source software maintained by a group of volunteer programmers as part of the nonprofit Apache Software Foundation and is a key Java-logging framework. Through Log4j, which security experts said is used by millions of applications, that developer can put into applications to monitor, or 'log’, which can help programmers debug software.
Apache noted in its security advisory the issue was first publicly disclosed by a security researcher working for Chinese technology company Alibaba Group Holding Ltd. The flaw in the Log4j software could allow hackers unfettered access to computer systems.
Reports have said the initial exploitation was spotted on December 2, before a patch rolled out a few days later. While a partial fix for the vulnerability was released on Friday by Apache, the maker of Log4j.
Chinese-government linked hackers have already begun using the vulnerability, according to Charles Carmakal, senior vice president and chief technology officer for cybersecurity firm Mandiant, stated in the statment.
To address the issue, CISA said it would set up a public website with information on what software products were affected by the vulnerability, and the techniques that hackers were using to exploit it.