The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is warning of a vulnerability affecting products containing the log4j software library, according to a CISA press release.
The vulnerability is already being exploited, and vendors should patch the products using this software and alert end users to the need to prioritize software updates, the release stated.
“We continue to urge all organizations to review the latest CISA current activity alert and upgrade to log4j version 2.15.0, or apply their appropriate vendor recommended mitigations immediately,” CISA Director Jen Easterly said in the release. “To be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector. We urge all organizations to join us in this essential effort and take action.”
The Wall Street Journal (WSJ) reported Saturday (Dec. 11) that log4j is a piece of server software that is widely used. The flaw enables hackers to force victims’ machines to download software that is unauthorized. Many major tech companies include log4j in their products and are working to patch the vulnerability.
The threat and scope of cybercrimes have only gotten worse, PYMNTS reported in August after Karen Webster’s conversation with Richard Clarke, former national coordinator for security and counterterrorism, and Phillip Dunkelberger, CEO of Nok Nok Labs.
Read more: Cybersecurity Czar Richard Clarke Tells PYMNTS ‘New Mindset’ Needed To Win Cyberwar
As the threat landscape evolves, so too will the partnerships and technologies massed against those threats. As Clarke told Webster, “We, as an economy, as a country are only as secure as our weakest link. You can get into a supply chain provider who has weak security — and then spread the damage out to thousands of companies. We need to make everybody secure — and the way to do that is through a new mindset.”
