Major tech companies struggle to plug holes in logging software

By Joseph Menn

SAN FRANCISCO (Reuters) - Some of the world's largest technology companies are still struggling to make their products safe from a gaping vulnerability in common logging software a week after hackers began trying to exploit it.

Cisco Systems, IBM (IBM), VMware (VMW) and Splunk (SPLK) were among the companies with multiple pieces of flawed software being used by customers on Thursday without available patches for the Log4j vulnerability, according to a running tally published by the U.S. Cybersecurity and Infrastructure Security Agency.

Logging software is ubiquitous software that tracks activity such as site visits, clicks and chats.

The company efforts underscore the wide reach of the flaw found inside open-source software, described by officials and researchers as the worst flaw they have seen in years.

A researcher for Chinese tech company Alibaba (BABA) warned the nonprofit Apache Software Foundation early this month that Log4j would not just keep track of chats or clicks, but also follow links to outside sites, which could let a hacker take control of the server.

Apache rushed out a fix for the program. But thousands of other programs use the free logger, and those responsible for them must prepare and distribute their own patches to prevent takeovers. That includes other free software, which is maintained by volunteers, as well as programs from companies big and small, some of which have engineers working around the clock.

"Lots of vendors are without security patches for this vulnerability," said security threat analyst Kevin Beaumont, who is helping compile the list for CISA. "Software vendors need to have better, and public, inventories around open-source software usage so it is easier to assess risk - both for themselves and their customers."

Some companies, including Cisco, are updating guidance multiple times daily with confirmation of vulnerabilities, available patches or strategies for mitigating or detecting intrusions when they occur.

As of Thursday, the CISA list included about 20 Cisco products that were vulnerable to attack without a patch available, including Cisco WebEx Meetings Server and Cisco Umbrella, a cloud security product.

But many more were listed as "under investigation" to see if they were vulnerable as well.

"Cisco has investigated over 200 products and approximately 130 are not vulnerable," a company spokesperson said. "Many affected products have dates available for software patches."

VMware (VMW) is steadily updating an advisory on its site with dozens of impacted products, many with critical vulnerabilities and "patch pending." Some of those without a patch have workarounds to mitigate the holes.

Splunk (SPLK) has a similar list, along with tips for hunting for hackers trying to abuse the flaw.

IBM (IBM) listed nonvulnerable products but said it "does not confirm or otherwise disclose vulnerabilities externally, even to individual customers, until a fix or remediation is available." 

Though Microsoft (MSFT), Mandiant and CrowdStrike have all said they see nation-state attackers from better-equipped U.S. adversaries probing for the Log4j flaw, CISA officials said Wednesday they had not confirmed any successful government-backed attacks or any intrusions inside U.S. government equipment.

(Reporting by Joseph Menn; Editing by Dan Grebler)