Cybersecurity exploit

Cybersecurity Experts Warn of Far-Reaching Flaw in Apache Logging Software

Cybersecurity officials and executives have issued warnings about a critical vulnerability in an Apache logging framework that could let an attacker remotely take control of a system.

The Cybersecurity and Infrastructure Security Agency said the flaw affects versions 2.0-beta9 to 2.14.1 of the Log4j framework, an open-source, Java-based logging tool used for enterprise applications and cloud services.

CISA advised affected organizations to immediately take steps to mitigate the vulnerability, The Hill reported.

According to cybersecurity analysts, the vulnerability is affecting Apple’s iCloud service, the Steam digital store and Chinese web giant Baidu.

Data security company LunaSec said it found evidence that simply changing an iPhone’s name could trigger the vulnerability in Apple’s servers.

Minecraft, an online game owned by Microsoft, reported that its Java Edition is also affected by the exploit and advised users to urgently address security concerns. The developers have pushed an update that will automatically patch non-modified launchers of the game.

Joe Sullivan, CEO of web security company Cloudflare, said that the vulnerability has gotten the whole internet security community trying to understand its implications.

He added that the exploit could be the “biggest” yet because of how widely used the Log4j software is.

“It’s a foundational vulnerability in a significant piece of software that resides within a lot of other bigger pieces of software,” Sullivan told The Hill in an interview.

National Security Agency Director Rob Joyce also warned about the wide reach of the Log4j vulnerability. Joyce said in a tweet that the exploit is also affecting Ghidra, an open-source reverse engineering tool developed by the NSA.