CISA probes scope, potential fallout of Log4j vulnerability

Written by
Dec 14, 2021 | CYBERSCOOP

A top government cyber official said Tuesday that the Cybersecurity and Infrastructure Security Agency hasn’t seen hackers compromise federal agencies by exploiting the Apache Log4j vulnerability — but the agency’s still fearful of widespread attacks stemming from it.

Most of all, CISA’s Eric Goldstein said during a phone call Tuesday evening, the government is eager for help from the public in assembling a comprehensive list of all the products that might be susceptible to hackers using the vulnerability, known as Log4Shell in the widely deployed logging library, which the agency expects could affect hundreds of millions of devices or more.

CISA and private sector cybersecurity investigators have struck exceptionally dire notes about the potential fallout that have not, as of yet, come to fruition. It’s that unknown potential, however, that has prompted CISA to try to get organizations to patch their systems and take other steps to secure them.

“Certainly given the nature of this vulnerability, the triviality of exploitation, the ubiquity of the presence across enterprise, consumer and IoT [internet of things] products — really, our broad focus here is driving mitigation across the board, recognizing that malicious cyber

Read More: