Written by Tim Starks
Dec 13, 2021 | CYBERSCOOP
Cybersecurity and Infrastructure Security Agency Director Jen Easterly told industry leaders in a phone briefing Monday that a vulnerability in a widely-used logging library “is one of the most serious I’ve seen in my entire career, if not the most serious.”
“We expect the vulnerability to be widely exploited by sophisticated actors and we have limited time to take necessary steps in order to reduce the likelihood of damage,” she said of the Apache Log4j flaw. The issue is an unauthenticated remote execution vulnerability that could allow an intruder to take over an affected device.
Hundreds of millions of devices are likely to be affected, said Jay Gazlay of CISA’s vulnerability management office in the call with critical infrastructure owners and operators.
CISA, a component of the Department of Homeland Security, is setting up a dedicated website as soon as Tuesday to provide information and counter “active disinformation,” said Eric Goldstein, executive assistant director for cybersecurity at the agency. The vulnerability would “allow a remote attacker to easily take control of the system in which they exploit it,” he said.
The industry briefing was the latest alarm sounded by government