US cybersecurity officials have warned companies of a software vulnerability that could put millions of electronic devices at risk from hackers. The warning was delivered to executives Monday in a phone call involving officials of the US Cybersecurity and Infrastructure Security Agency, CNN reports. "We expect the vulnerability to be widely exploited by sophisticated actors, and we have limited time to take necessary steps in order to reduce the likelihood of damaging incidents," Director Jen Easterly told them, adding that it might be the most serious vulnerability she's ever seen.
The problem is in Log4j, Java-based software that large organizations use to log information in their applications. The logging library flaw would "allow remote attackers to easily take control of the system in which they exploit it," said another agency official. The organizations, including tech giants, will need to clean up their code quickly, analysts said. Amazon Web Services and IBM have started. Consumers could be affected in time, because the software is used so widely.
The Apache Software Foundation has made a security fix available, per CyberScoop, but that's just the beginning. "There’s no single action that fixes this issue," said Jay Gazlay of CISA, who called it a mistake to assume an organization is "going to be done with this in a week or two." The agency is launching a website to provide information about the threat to critical infrastructure and counter "active disinformation." Other nations have issued warnings, as well. Ransomware attacks are among the possibilities, officials said. (Read more cybersecurity stories.)
