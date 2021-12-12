Companies whose servers have been confirmed to be affected by this issue include Apple, Amazon, Twitter, and Steam.

Chen Zhaojun, an employee of the Chinese private consortium Alibaba, has detected a ‘software’ flaw, dubbed ‘Log4Shell’, in Apache Log4j, an open source logging tool used by a large number of applications, web pages and services, TechCrunch reported this Friday.



It was discovered for the first time in the video game Minecraft, owned by Microsoft, although the cybersecurity company LunaSec warns that “many services” are vulnerable because the affected tool is in almost all the main applications and enterprise servers based on the Java programming language.

Companies whose servers have been confirmed to be vulnerable to this problem include Apple, Amazon, Cloudflare, Twitter, Steam, Baidu, NetEase, Tencent and Elastic, although it is believed that the companies and organizations affected could be in the thousands.

What implications does it have?

Robert Joyce, director of cybersecurity for the US National Security Agency (NSA), think that it is a “significant threat” and confirmed that GHIDRA, a free and open source reverse engineering tool developed by them, has also been affected.

The New Zealand Computer Emergency Response (CERT) team, Deutsche Telekom CERT and web monitoring service Greynoise have warned that hackers are looking for actively vulnerable servers to ‘software’ failure.

Amit Yoran, executive director of the cybersecurity company Tenable, assured that it is “the greatest and most critical vulnerability of the last decade”, without ruling out that it is possibly the worst in the history of modern computing.

“Internet is on fire”

“The Internet is on fire right now,” said Adam Meyers, senior vice president of intelligence at cybersecurity firm Crowdstrike, warning that hackers have already developed and distributed tools to exploit the vulnerability.

For her part, Kayla Underkoffler, Senior Security Technologist at HackerOne, believes that this situation highlights the “threat posed by open source ‘software’ as a growing portion of the critical attack surfaces of the global supply chain“.

The Apache Software Foundation has already released an emergency security update to address the zero-day vulnerability in Log4j, and has also carried out a number of mitigation measures for those who cannot install the update immediately.

