Criminals, cyber spies and hackers around the world launch thousands of attempts every hour to exploit a loophole in widely used logging software as cybersecurity experts scramble to close the loophole and prevent catastrophic attacks.
In early December, a security researcher from Chinese online retailer Alibaba discovered and reported the software flaw in a widely used tool called log4j. The open source tool is a Java library developed by Apache that software developers use to track activity within an application.
Whenever someone on the Internet connects to a site, cloud service provider, or others, the company that manages the site or service captures data about the activity and stores it in a log. Hackers are now trying to break into these logs and launch attacks.
“We have what I call a triple problem here,” said Steve Povolny, senior engineer and head of advanced threat research at McAfee Enterprise. “The simplicity of the attack, the pervasiveness of the vulnerable installed base, and the high availability of exploit code really combine to make this… perhaps the vulnerability of the decade. ”
Although Apache has offered a patch to fix the flaw, businesses and government agencies are using many versions of the log4j tool and trying to determine which patch works with which version, Povolny said. But late last week, security researchers identified that a patch known as version 2.16 “effectively fixes the problem,” he said.