A newly discovered cybersecurity vulnerability in Apache Log4j, an open-source software tool used by numerous companies, could enable hackers to install malware on affected systems.

The Apache Software Foundation, which oversees development of Log4j, issued a patch for the vulnerability this morning. The organization also released guidelines on how users can mitigate the flaw if downloading the patch isn’t possible. The U.S. Cybersecurity and Infrastructure Security Agency is urging users to apply a fix to vulnerable systems immediately.

Many of the world’s applications, particularly enterprise workloads, are written in the Java programming language. Log4j is a logging tool for Java applications that helps developers detect and troubleshoot software errors. The tool is widely used in the enterprise. 

The newly discovered vulnerability in Log4j has been rated as being of critical severity. One reason why the vulnerability poses a major cybersecurity threat is that Log4j ships with several popular open-source tools maintained by the Apache Software Foundation. Those tools, in turn, power numerous applications worldwide, many of which could be affected by the vulnerability as a result. 

The iCloud cloud storage service from Apple Inc. and Microsoft Corp.’s bestselling Minecraft video game are believed to be among the vulnerable products. 

For affected users, fixing vulnerable systems is particularly urgent because the Log4j flaw is believed to be fairly simple for hackers to exploit. Moreover, researchers have reportedly detected signs that hackers are already using the vulnerability to launch cyberattacks. 

“Given how ubiquitous this library is, the impact of the exploit (full server control), and how easy it is to exploit, the impact of this vulnerability is quite severe,” researchers from cybersecurity firm LunaSec wrote in a blog post today. 

LunaSec has named the vulnerability Log4Shell. The vulnerability is also tracked as CVE-2021-44228 in the CVE database of software security flaws.

Researchers at Randori Inc., a venture-backed cybersecurity startup, stated that “if you believe you may be impacted by CVE-2021-44228, Randori encourages all organizations to adopt an assumed breach mentality and review logs for impacted applications for unusual activity. Effectively, any scenario that allows a remote connection to supply arbitrary data that is written to log files by an application utilizing the Log4j library is susceptible to exploitation.”

The severity of the Log4j vulnerability has led Cloudflare Inc. to take steps to protect customers from potential cyberattacks. Publicly traded Cloudflare operates a content delivery platform that processes traffic for a sizable portion of the world’s websites. Today, the company updated its platform’s web application firewall with new settings that will help customers block attempts to exploit the vulnerability.

“We are continuing to monitor the situation and will update any WAF managed rules accordingly,” Cloudflare stated. 

Image: Unsplash