Cisco, IBM, and Others Major Tech Firms Struggle to Fix Vulnerability in Logging Software

A week after hackers began attempting to exploit a gaping vulnerability in common logging software, some of the world's largest technology companies are still struggling to make their products safe.

According to a running tally published by the US Cybersecurity and Infrastructure Security Agency, Cisco Systems, IBM, VMware, and Splunk were among the companies with multiple pieces of flawed software being used by customers on Thursday without available patches for the Log4j vulnerability.

Logging software is a common piece of software that keeps track of things like site visits, clicks, and chats.

The company's efforts highlight the breadth of the flaw discovered in open-source software, which officials and researchers have described as the worst flaw they've seen in years.

Early this month, a researcher for Alibaba warned the Apache Software Foundation that Log4j would not only keep track of chats and clicks, but would also follow links to external sites, allowing a hacker to take control of the server.

A fix for the program was rushed out by Apache. Thousands of other programs, on the other hand, rely on the free logger, and those in charge of them must create and distribute their own patches to avoid takeovers. Other free software, which is maintained by volunteers, as well as programs from large and small businesses, some of which have engineers working around the clock, fall into this category.

"A lot of vendors don't have security patches for this vulnerability," said Kevin Beaumont, a security threat analyst who is assisting CISA in compiling the list. "Software vendors need better, public inventories of open-source software usage so that risk can be assessed more easily - both for themselves and for their customers."

Cisco, for example, is updating guidance on a daily basis with confirmation of vulnerabilities, available patches, and strategies for mitigating or detecting intrusions when they occur.

Cisco WebEx Meetings Server and Cisco Umbrella, a cloud security product, were among the products on the CISA list that were vulnerable to attack without a patch as of Thursday.

Many more, however, were marked as "under investigation" to see if they were also vulnerable.

"Over 200 products have been investigated by Cisco, and approximately 130 are not vulnerable," a company spokesperson said. "Software patches for many of the affected products are available."

VMware is constantly updating a website advisory with dozens of impacted products, many of which have critical vulnerabilities and are "patched pending." Some of those who don't have a patch have devised workarounds to close the gaps.

Splunk has a similar list, as well as tips for spotting hackers attempting to exploit the flaw.

"IBM does not confirm or otherwise disclose vulnerabilities externally, even to individual customers, until a fix or remediation is available," the company said.

Despite the fact that Microsoft, Mandiant, and CrowdStrike have all stated that nation-state attackers from better-equipped US adversaries are probing for the Log4j flaw, CISA officials said Wednesday that no successful government-backed attacks or intrusions into US government equipment have been confirmed.