Skip to Main Content.
Site navigation
Fidelity.com Home
  • Customer Service
  • Profile
  • Open an Account
  • Virtual Assistant Opens in a new window
  • Log In
  • Customer Service
  • Profile
  • Open an Account
  • Virtual Assistant Opens in a new window
  • Log Out
  • Accounts & Trade
    • Portfolio Log In Required
    • Portfolio
    • AccountPositions Log In Required
    • AccountPositions
    • Trade Log In Required
    • Trade
    • Trading Dashboard Log In Required
    • Trading Dashboard Log In Required
    • Active Trader Pro
    • Transfers
    • Cash Management Log In Required
    • Cash Management
    • Bill Pay Log In Required
    • Bill Pay
    • Full View Log In Required
    • Full View
    • Security Settings Log In Required
    • Security Settings
    • Account Features Log In Required
    • Account Features
    • Statements Log In Required
    • Statements
    • Fidelity Alternative Investments Program Log In Required
    • Tax Forms & Information
    • Retirement Distributions Log In Required
    • Fidelity Rewards+registered trademark Log In Required
    • Fidelity Rewards+registered trademark Log In Required
    • New Account Checklist Log In Required
    • Lending Solutions-Line of Credit Log In Required
    • Refer a Friend
  • Planning & Advice
    • What We Offer
    • Build Your Plan
    • My Goals
    • Financial Basics
    • Building Savings
    • Robo Investing Plus Financial Advice
    • Wealth Management
    • Find an advisor
    • Retirement
    • Life Events
    • Saving & Investing for a Child
  • News & Research
    • News
    • Wealth Management Insights
    • Watch List Log In Required
    • Quotes
    • Quotes
    • Alerts Log In Required
    • Mutual Funds
    • Stocks
    • Fixed Income, Bonds & CDs
    • ETFs
    • Options
    • Markets & Sectors
    • IPOs
    • Annuities
    • Learning Center
    • Notebook
    • Notebook
  • Investment Products
    • Mutual Funds
    • Retirement & IRAs
    • Stocks and Trading
    • Direct Indexing
    • Fixed Income, Bonds & CDs
    • ETFs
    • Options
    • Sustainable Investing
    • Cash Management & Credit Cards
    • Managed Accounts
    • 529 College Savings
    • Health Savings Accounts
    • Annuities
    • Life Insurance & Long Term Care
    • Charitable Giving
  • Why Fidelity
    • The Fidelity Advantage
    • Planning & Advice
    • Trading
    • Straightforward Pricing
    • Insights & Tools
    • Security & Protection
    • Marketplace Solutions
    • About Fidelity
    • Careers
  • Customer Service
  • Profile
  • Open an Account
  • Virtual Assistant Opens in a new window
  • Log In
  • Customer Service
  • Profile
  • Open an Account
  • Virtual Assistant Opens in a new window
  • Log Out
Content and data provided by various third parties and Fidelity − Terms of Use
  • Research >
  • Stocks >
  • News & Events >

Stock Details


  • Snapshot
  • Detailed Quote
  • Advanced Chart &
    Technical Analysis Opens in New Window
  • News & Events
  • Compare
  • Analyst Opinions
  • Research Reports
  • Key Statistics
  • Earnings
  • Dividends
  • Ownership & Insiders
  • Financial Statements
  • SEC Filings

RELATED RESOURCES

  • Stock Research Overview
  • Stock Screeners
  • Markets & Sectors
  • Fidelity Learning Center Opens in New Window
Print Format
Change Text Size:
  • Default text sizeA
  • Larger text sizeA
  • Largest text sizeA

Major tech companies struggle to plug holes in logging software

BY Reuters
— 1:59 PM ET 12/16/2021

By Joseph Menn

SAN FRANCISCO (Reuters) - Some of the world's largest technology companies are still struggling to make their products safe from a gaping vulnerability in common logging software a week after hackers began trying to exploit it.

Cisco Systems, IBM (IBM), VMware (VMW) and Splunk (SPLK) were among the companies with multiple pieces of flawed software being used by customers on Thursday without available patches for the Log4j vulnerability, according to a running tally published by the U.S. Cybersecurity and Infrastructure Security Agency.

Logging software is ubiquitous software that tracks activity such as site visits, clicks and chats.

The company efforts underscore the wide reach of the flaw found inside open-source software, described by officials and researchers as the worst flaw they have seen in years.

A researcher for Chinese tech company Alibaba (BABA) warned the nonprofit Apache Software Foundation early this month that Log4j would not just keep track of chats or clicks, but also follow links to outside sites, which could let a hacker take control of the server.

Apache rushed out a fix for the program. But thousands of other programs use the free logger, and those responsible for them must prepare and distribute their own patches to prevent takeovers. That includes other free software, which is maintained by volunteers, as well as programs from companies big and small, some of which have engineers working around the clock.

"Lots of vendors are without security patches for this vulnerability," said security threat analyst Kevin Beaumont, who is helping compile the list for CISA. "Software vendors need to have better, and public, inventories around open-source software usage so it is easier to assess risk - both for themselves and their customers."

Some companies, including Cisco, are updating guidance multiple times daily with confirmation of vulnerabilities, available patches or strategies for mitigating or detecting intrusions when they occur.

As of Thursday, the CISA list included about 20 Cisco products that were vulnerable to attack without a patch available, including Cisco WebEx Meetings Server and Cisco Umbrella, a cloud security product.

But many more were listed as "under investigation" to see if they were vulnerable as well.

"Cisco has investigated over 200 products and approximately 130 are not vulnerable," a company spokesperson said. "Many affected products have dates available for software patches."

VMware (VMW) is steadily updating an advisory on its site with dozens of impacted products, many with critical vulnerabilities and "patch pending." Some of those without a patch have workarounds to mitigate the holes.

Splunk (SPLK) has a similar list, along with tips for hunting for hackers trying to abuse the flaw.

IBM (IBM) listed nonvulnerable products but said it "does not confirm or otherwise disclose vulnerabilities externally, even to individual customers, until a fix or remediation is available." 

Though Microsoft (MSFT), Mandiant and CrowdStrike have all said they see nation-state attackers from better-equipped U.S. adversaries probing for the Log4j flaw, CISA officials said Wednesday they had not confirmed any successful government-backed attacks or any intrusions inside U.S. government equipment.

(Reporting by Joseph Menn; Editing by Dan Grebler)

Copyright © Reuters 2008. All rights reserved. Republication or redistribution of Reuters content, including by caching, framing or similar means, is expressly prohibited without the prior written consent of Reuters. Reuters and the Reuters sphere logo are registered trademarks and trademarks of the Reuters group of companies around the world.

More VMW News

VMW has no more news
Fidelity Investments. Copyright 1998–2022 FMR LLC. 
All rights reserved. 

  • Terms of Use|
  • Privacy|
  • Security|
  • Site Map 
Close