www.wsj.com
Open in
urlscan Pro
2600:9000:206f:1000:3:4b0:de80:93a1
Public Scan
URL:
https://www.wsj.com/articles/what-is-the-log4j-vulnerability-11639446180
Submission: On December 21 via manual from US — Scanned from DE
Submission: On December 21 via manual from US — Scanned from DE
Form analysis 1 forms found in the DOM
#
<form action="#" class="style--search-form-hI0pb2JfplZrewKUN--51 " role="search"><input id="searchInput" class="style--wsj-search-input-GNMy8Q5kg9IYwJKXYfIMm " placeholder="Enter News, Quotes, Companies or Videos" type="search"
aria-label="Search the Wall Street Journal" tabindex="-1"><button class="style--search-submit-2EFgMYmHzRT8YBR7BYrV6G " aria-label="Submit Button" value="Search" type="submit" tabindex="-1">Search <svg width="24" height="24" viewBox="0 0 24 24">
<defs>
<path id="search-medium_svg__a" d="M10.5 2a7.5 7.5 0 015.645 12.438l5.365 5.365-.707.707-5.365-5.365A7.5 7.5 0 1110.5 2zm0 1a6.5 6.5 0 100 13 6.5 6.5 0 000-13z"></path>
</defs>
<use fill="currentColor" fill-rule="evenodd" xlink:href="#search-medium_svg__a"></use>
</svg></button></form>Text Content
Skip to Main ContentSkip to SearchSkip to...
Select
* Listen to Article
* What To Read Next
* Sponsored Offers
* Most Popular News
* Most Popular Opinion
* Recommended Videos
Dow Jones, a News Corp companyAbout WSJ
* News Corp is a global, diversified media and information services company
focused on creating and distributing authoritative and engaging content and
other products and services.
* Dow Jones
* Barron's
* BigCharts
* Dow Jones Businesses
* Dow Jones Newswires
* Factiva
* Financial News
* Mansion Global
* MarketWatch
* Newsmart
* NewsPlus
* Risk & Compliance
* WSJ Live
* WSJ Pro
* WSJ Video
* WSJ.com
* News Corp
* Avail
* Business Spectator
* HarperCollins Publishers
* Housing
* Makaan
* New York Post
* REA
* realtor.com
* Storyful
* The Australian
* The Sun
* The Times
*
Stoxx 600471.07 points with a0.80%▲
Nikkei28517.59 points with a2.08%▲
U.S. 10 Yr-0/32 Yieldwith a1.429%▼
Crude Oil69.06 points with a1.22%▲
Euro1.1292 points with a0.14%▲
DJIA34932.16 points with a1.23%▼
The Wall Street Journal
SubscribeSign In
Special Offer
The Wall Street Journal
Less than US $1/week
Get the insights and analysis trusted by key decision-makers around the world.
Become a WSJ Member Today
View Membership Options
English Edition
* English
* 中文 (Chinese)
* 日本語 (Japanese)
Print Edition
Video
Podcasts
Latest Headlines
SubscribeSign In
* Home
* World
REGIONS
* Africa
* Asia
* Canada
* China
* Europe
* Latin America
* Middle East
SECTIONS
* Economy
MORE
* World Video
* U.S.
SECTIONS
* Economy
* Law
* Politics
MORE
* WSJ Noted.
* U.S. Video
* What's News Podcast
* Politics
SECTIONS
* Capital Journal
MORE
* Politics Video
COLUMNS
* Gerald Seib
* Washington Wire
* Economy
WSJ PRO
* Bankruptcy
* Central Banking
* Private Equity
* Strategic Intelligence
* Venture Capital
MORE
* Economic Forecasting Survey
* Economy Video
SECTIONS
* Capital Account
* Business
SECTIONS
* Management
* The Future of Everything
* Obituaries
* Tech/WSJ.D
INDUSTRIES
* Aerospace & Defense
* Autos & Transportation
* Commercial Real Estate
* Consumer Products
* Energy
* Entrepreneurship
* Financial Services
* Food & Services
* Health Care
* Hospitality
* Law
* Manufacturing
* Media & Marketing
* Natural Resources
* Retail
C-SUITE
* CFO Journal
* CIO Journal
* CMO Today
* Logistics Report
* Risk & Compliance
* The Experience Report
COLUMNS
* Heard on the Street
WSJ PRO
* Artificial Intelligence
* Bankruptcy
* Central Banking
* Cybersecurity
* Private Equity
* Strategic Intelligence
* Sustainable Business
* Venture Capital
MORE
* Business Video
* Journal Report
* Business Podcast
* Space & Science
* Tech
SECTIONS
* CIO Journal
* The Future of Everything
* Personal Tech
COLUMNS
* Christopher Mims
* Joanna Stern
* Julie Jargon
* Nicole Nguyen
MORE
* Tech Video
* Tech Podcast
* Markets
SECTIONS
* Bonds
* Commercial Real Estate
* Commodities & Futures
* Stocks
* Personal Finance
* WSJ Money
* Streetwise
* Intelligent Investor
COLUMNS
* Heard on the Street
* Greg Ip
* Jason Zweig
* Laura Saunders
* James Mackintosh
MARKET DATA
* Market Data Home
* U.S. Stocks
* Currencies
* Companies
* Commodities
* Bonds & Rates
* Mutual Funds & ETFs
MORE
* CFO Journal
* Markets Video
* Your Money Briefing Podcast
* Secrets of Wealthy Women Podcast
Search Quotes and Companies
* Opinion
COLUMNISTS
* Gerard Baker
* Sadanand Dhume
* James Freeman
* William A. Galston
* Daniel Henninger
* Holman W. Jenkins
* Andy Kessler
* William McGurn
* Walter Russell Mead
* Peggy Noonan
* Mary Anastasia O'Grady
* Jason Riley
* Joseph Sternberg
* Kimberley A. Strassel
MORE
* Editorials
* Commentary
* Future View
* Letters to the Editor
* The Weekend Interview
* Potomac Watch Podcast
* Foreign Edition Podcast
* Opinion Video
* Notable & Quotable
* Books & Arts
REVIEWS
* Film
* Television
* Theater
* Masterpiece Series
* Music
* Dance
* Opera
* Exhibition
* Cultural Commentary
SECTIONS
* Arts
* Books
MORE
* WSJ Puzzles
* Life Video
* Arts Video
* Real Estate
SECTIONS
* Commercial Real Estate
MORE
* Real Estate Video
* Life & Work
SECTIONS
* Cars
* Careers
* Entertainment
* Food & Drink
* Home & Design
* Ideas
* Personal Finance
* Recipes
* Style & Fashion
* Travel
* Wellness
COLUMNS
* Your Health
* Work & Life
* The Middle Seat
* Bonds
* At Work
* Turning Points
* Off Brand
* On Trend
* On Wine
MORE
* WSJ Puzzles
* Space & Science
* WSJ. Magazine
SECTIONS
* Fashion
* Art & Design
* Travel
* Food
* Culture
* Sports
COLUMNS
* Jason Gay
SECTIONS
* MLB
* NBA
* NFL
* Golf
* Tennis
* Soccer
Search
* Home
* World
REGIONS
* Africa
* Asia
* Canada
* China
* Europe
* Latin America
* Middle East
SECTIONS
* Economy
MORE
* World Video
* U.S.
SECTIONS
* Economy
* Law
* Politics
MORE
* WSJ Noted.
* U.S. Video
* What's News Podcast
* Politics
SECTIONS
* Capital Journal
MORE
* Politics Video
COLUMNS
* Gerald Seib
* Washington Wire
* Economy
WSJ PRO
* Bankruptcy
* Central Banking
* Private Equity
* Strategic Intelligence
* Venture Capital
MORE
* Economic Forecasting Survey
* Economy Video
SECTIONS
* Capital Account
* Business
SECTIONS
* Management
* The Future of Everything
* Obituaries
* Tech/WSJ.D
INDUSTRIES
* Aerospace & Defense
* Autos & Transportation
* Commercial Real Estate
* Consumer Products
* Energy
* Entrepreneurship
* Financial Services
* Food & Services
* Health Care
* Hospitality
* Law
* Manufacturing
* Media & Marketing
* Natural Resources
* Retail
C-SUITE
* CFO Journal
* CIO Journal
* CMO Today
* Logistics Report
* Risk & Compliance
* The Experience Report
COLUMNS
* Heard on the Street
WSJ PRO
* Artificial Intelligence
* Bankruptcy
* Central Banking
* Cybersecurity
* Private Equity
* Strategic Intelligence
* Sustainable Business
* Venture Capital
MORE
* Business Video
* Journal Report
* Business Podcast
* Space & Science
* Tech
SECTIONS
* CIO Journal
* The Future of Everything
* Personal Tech
COLUMNS
* Christopher Mims
* Joanna Stern
* Julie Jargon
* Nicole Nguyen
MORE
* Tech Video
* Tech Podcast
* Markets
SECTIONS
* Bonds
* Commercial Real Estate
* Commodities & Futures
* Stocks
* Personal Finance
* WSJ Money
* Streetwise
* Intelligent Investor
COLUMNS
* Heard on the Street
* Greg Ip
* Jason Zweig
* Laura Saunders
* James Mackintosh
MARKET DATA
* Market Data Home
* U.S. Stocks
* Currencies
* Companies
* Commodities
* Bonds & Rates
* Mutual Funds & ETFs
MORE
* CFO Journal
* Markets Video
* Your Money Briefing Podcast
* Secrets of Wealthy Women Podcast
Search Quotes and Companies
* Opinion
COLUMNISTS
* Gerard Baker
* Sadanand Dhume
* James Freeman
* William A. Galston
* Daniel Henninger
* Holman W. Jenkins
* Andy Kessler
* William McGurn
* Walter Russell Mead
* Peggy Noonan
* Mary Anastasia O'Grady
* Jason Riley
* Joseph Sternberg
* Kimberley A. Strassel
MORE
* Editorials
* Commentary
* Future View
* Letters to the Editor
* The Weekend Interview
* Potomac Watch Podcast
* Foreign Edition Podcast
* Opinion Video
* Notable & Quotable
* Books & Arts
REVIEWS
* Film
* Television
* Theater
* Masterpiece Series
* Music
* Dance
* Opera
* Exhibition
* Cultural Commentary
SECTIONS
* Arts
* Books
MORE
* WSJ Puzzles
* Life Video
* Arts Video
* Real Estate
SECTIONS
* Commercial Real Estate
MORE
* Real Estate Video
* Life & Work
SECTIONS
* Cars
* Careers
* Entertainment
* Food & Drink
* Home & Design
* Ideas
* Personal Finance
* Recipes
* Style & Fashion
* Travel
* Wellness
COLUMNS
* Your Health
* Work & Life
* The Middle Seat
* Bonds
* At Work
* Turning Points
* Off Brand
* On Trend
* On Wine
MORE
* WSJ Puzzles
* Space & Science
* WSJ. Magazine
SECTIONS
* Fashion
* Art & Design
* Travel
* Food
* Culture
* Sports
COLUMNS
* Jason Gay
SECTIONS
* MLB
* NBA
* NFL
* Golf
* Tennis
* Soccer
Search
Search
https://www.wsj.com/articles/what-is-the-log4j-vulnerability-11639446180
Share
* Facebook
* Twitter
* LinkedIn
* Copy Link
* Pro Cyber News
WHAT IS THE LOG4J VULNERABILITY? WHAT TO KNOW.
CORPORATE SECURITY EXECUTIVES ARE ASSESSING RISK AS SOFTWARE COMPANIES DISCLOSE
EXPOSURE
LOG4J, A PIECE OF SOFTWARE USED ACROSS CORPORATE, CONSUMER AND INDUSTRIAL
NETWORKS HAS A MAJOR FLAW HACKERS ARE EXPLOITING.
Photo: steve marcus/Reuters
By
David Uberti
Close
DAVID UBERTI
* Biography
* @daviduberti
* david.uberti@wsj.com
,
James Rundle
Close
JAMES RUNDLE
* Biography
* @JimRundle
* james.rundle@wsj.com
and
Catherine Stupp
Close
CATHERINE STUPP
* Biography
* @catstupp
* catherine.stupp@wsj.com
Updated Dec. 17, 2021 2:15 pm ET
Print
Text
A flaw in widely used internet software known as Log4j has left companies and
government officials scrambling to respond to a glaring cybersecurity threat to
global computer networks.
The bug disclosed last week could enable potentially devastating cyberattacks
that span economic sectors and international borders, according to security
experts.
U.S. officials said hundreds of millions of devices were at risk and issued an
emergency directive Friday ordering federal agencies to take immediate steps to
mitigate the threat. Researchers and major technology companies warned that
hackers linked to foreign governments and criminal ransomware groups were
probing how to exploit the vulnerability within targets’ computer systems.
Here’s what we know about the Log4j flaw:
WHAT IS LOG4J?
Software developers use the Log4j framework to record user activity and the
behavior of applications for subsequent review. Distributed free by the
nonprofit Apache Software Foundation, Log4j has been downloaded millions of
times and is among the most widely used tools to collect information across
corporate computer networks, websites and applications. The software is
maintained by Apache volunteers, five of whom have worked around the clock in
recent days to release security updates.
HOW CAN HACKERS TAKE ADVANTAGE OF LOG4J’S VULNERABILITY?
The Log4j flaw, disclosed by Apache last week, allows attackers to execute code
remotely on a target computer, meaning that they can steal data, install malware
or take control. Some cybercriminals have installed software that uses a hacked
system to mine cryptocurrency, while others have developed malware that allows
attackers to hijack computers for large-scale assaults on internet
infrastructure.
Security experts are particularly concerned that the vulnerability may give
hackers enough of a foothold within a system to install ransomware, a type of
computer virus that locks up data and systems until the attackers are paid by
victims. Security company F-Secure Oyj said its analysts have observed some
ransomware variants being deployed via the flaw already, along with malware that
is often deployed as a precursor to a ransomware strike.
“To be clear, this vulnerability poses a severe risk,” said Jen Easterly,
director of the Cybersecurity and Infrastructure Security Agency, in a statement
issued Sunday.
ARE FOREIGN GOVERNMENTS TAKING ADVANTAGE OF THE FLAW?
Security company Mandiant Inc. and Microsoft Corp. said they have traced
attempted attacks that exploit the flaw to hackers with suspected links to China
and Iran. Microsoft said one of the groups is the same one responsible for a
hack of its Exchange Server email product earlier this year, which the U.S.
attributed to China. Beijing denies involvement in the attack.
Microsoft said that it has also seen nation-backed hackers from North Korea and
Turkey attempting to exploit Log4j.
Cybersecurity company SecurityScorecard Inc. said Thursday that it had observed
scans for the vulnerability linked to Russia-based hackers, including the group
blamed for hacking the Democratic National Committee in 2016.
Researchers at Check Point Software Technologies Ltd. said Friday that they had
tracked more than 3.8 million attempts by hackers to locate the vulnerability,
targeting nearly half of their corporate customers’ networks.
HOW IS THE U.S. GOVERNMENT RESPONDING?
Officials say they have been in frequent contact with cybersecurity companies,
cloud-service providers and telecommunications businesses to share information
about the threat and attempts to mitigate it. The Biden administration on Friday
ordered federal agencies to locate internet-connected software that uses Log4j
and immediately update those tools, bolster their security measures or take them
offline.
Eric Goldstein, executive assistant director of the Cybersecurity and
Infrastructure Security Agency, said Tuesday night that he wasn’t aware of any
agency being breached using the Log4j flaw. So far, Mr. Goldstein said, U.S.
officials have observed relatively low-level activity, such as hackers
installing cryptocurrency mining tools on victims’ networks.
“But certainly we are deeply concerned about the prospect of adversaries using
this vulnerability to cause real harm and even impacting national-critical
functions,” Mr. Goldstein added.
CISA has created an information page with recommendations.
HOW IS EUROPE RESPONDING?
Cybersecurity response teams for the 27 European Union countries met virtually
on Monday and escalated their monitoring of the Log4j developments to alert
mode. Experts in national units across Europe are constantly exchanging
technical information about what they see, said Gorazd Bozic, the chair of the
network of incident response units from EU countries.
The network could move into a higher emergency-level status if a serious exploit
occurs in Europe, Mr. Bozic said. “This can happen tomorrow unless the vendors
are quick enough to patch everything,” he said. So far, analysts have seen
low-sophistication attempts to exploit Log4j, such as attackers seeking to
install software for mining cryptocurrency, he said.
Experts at Belgium’s Centre for Cyber Security have been in contact with local
companies all week after issuing a report on how to identify whether the
vulnerability is being compromised, said Kevin Holvoet, a cyber threat
intelligence analyst at the agency. Analysts have seen continuing scanning
attempts to trigger the bug as well as reconnaissance efforts, but the agency
hasn’t received reports of it being exploited, he said.
The U.K.’s National Cyber Security Centre published steps to help companies
identify the vulnerability in their IT infrastructure. The Dutch National Cyber
Security Centre is maintaining a list of software that is and isn’t affected by
the vulnerability.
In Romania, the National Cyber Security Directorate sent individual alerts to
companies and critical infrastructure operators through a platform it uses to
share real-time cyber threat information, said Dan Cimpean, the organization’s
director. Analysts are collecting data about how companies and critical
infrastructure operators have been affected by the Log4j vulnerability, but Mr.
Cimpean said he has seen no sign of a serious incident in Romania. If a Romanian
company is compromised, cyber experts from the agency could step in to help, he
said. “We have tools to escalate a very fast response if needed,” he said.
HOW WIDESPREAD IS THE LOG4J FLAW?
Internet-facing systems as well as back-end systems could contain the
vulnerability. Log4j software is widely used in business software development.
“Likely millions of servers are at risk,” said Lou Steinberg, founder of CTM
Insights LLC, a tech incubator.
An Apache spokeswoman said the nature of how Log4j is inserted into different
pieces of software makes it impossible to track the tool’s reach.
WHICH TECHNOLOGY SUPPLIERS ARE AFFECTED BY THE LOG4J VULNERABILITY?
Many, and the list is growing. Among them are Apple Inc., Amazon.com Inc.,
Cloudflare Inc., IBM, Microsoft Corp.’s Minecraft, Palo Alto Networks Inc. and
Twitter Inc. Several technology companies have issued alerts and guidance to
customers about how to decrease their risk.
HOW CAN COMPANIES FIX THE LOG4J PROBLEM?
CISA suggests immediately identifying internet-facing devices that have Log4j
and ensuring your security team responds to alerts related to these devices.
Also, install a web application firewall with rules that automatically update so
that your team can concentrate on fewer alerts.
Some patches and technical guidance are available. The Apache organization has
released multiple updates in recent days and advised upgrading to the latest
version of the Log4j tool. Oracle Corp. released its own patches on Friday.
Microsoft recommended a series of steps to mitigate the risk of exploitation,
including contacting your software application providers to be sure they are
using the most up-to-date version of the Java programming language, which would
include patches.
In lieu of available patches, Teresa Walsh, global head of intelligence at the
Financial Services Information Sharing and Analysis Center, recommends that
companies limit unnecessary outbound internet traffic, which would go some way
to protecting vulnerable systems.
“Firms can reduce their risk by reducing their exposure,” she said.
Write to David Uberti at david.uberti@wsj.com, James Rundle at
james.rundle@wsj.com and Catherine Stupp at Catherine.Stupp@wsj.com
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved.
87990cbe856818d5eddac44c7b1cdeb8
Sponsored Offers
* Wayfair:
Wayfair New Year Sale: Up to 60% off
* Target:
Up to 60% off - Target Promo Code
* Macy's:
Macy's coupon - Sign up to get 25% off next order
* Kohl's:
30% off for Rewards members
* Saks Fifth Avenue:
$20 off sitewide - Saks Fifth Avenue coupon
* PrettyLittleThing:
Sign up for emails and get 20% off PrettyLittleThing discount code + $1
shipping
MOST POPULAR NEWS
* MODERNA SAYS COVID-19 BOOSTER DOSE WORKS AGAINST OMICRON IN LAB TESTS
* ELON MUSK SAYS HE WILL PAY MORE THAN $11 BILLION IN TAXES THIS YEAR
* OMICRON VARIANT ACCOUNTS FOR 73% OF U.S. COVID-19 CASES, CDC SAYS
* SKY-HIGH LUMBER PRICES ARE BACK
* DOW, OIL PRICES FALL ON NEW COVID-19 CURBS
MOST POPULAR OPINION
* OPINION: JOE MANCHIN RESCUES THE DEMOCRATS
* OPINION: THE WHITE HOUSE ART OF FURIOUS PERSUASION
* OPINION: THE FICKLE ‘SCIENCE’ OF LOCKDOWNS
* OPINION: BACK TO THE OFFICE IN 2022
* OPINION: ‘LATINX’ ISN’T POPULAR WITH LATINOS
RECOMMENDED VIDEOS
* TAPERING: WHAT IT IS AND WHY IT MAKES MARKETS SHUDDER
* JAPAN BUILDING FIRE LEAVES DOZENS DEAD
* INSIDE THE SOUTH AFRICAN LAB WITH THE FIRST OMICRON FINDINGS
* DAMAGE FROM DEADLY TORNADOES REVEALED IN SATELLITE IMAGES
* GEMINID METEOR SHOWER 2021 LIGHTS UP SKIES FOR STARGAZERS
WSJ PROMOTION
GET UNLIMITED ACCESS FOR LESS THAN US $1/WEEK
Get all sides of the story with The Wall Street Journal. From breaking news to
political analysis, let our fact-based, trusted journalism help you navigate the
local events and their global effects.
View Membership Options
WSJ PROMOTION
GET UNLIMITED ACCESS FOR LESS THAN US $1/WEEK
Get all sides of the story with The Wall Street Journal. From breaking news to
political analysis, let our fact-based, trusted journalism help you navigate the
local events and their global effects.
View Membership Options
Advertisement
* The Wall Street Journal
*
English Edition
* English
* 中文 (Chinese)
* 日本語 (Japanese)
* * Subscribe Now
* Sign In
* Back to Top «
WSJ Membership
* WSJ+ Membership Benefits
* Subscription Options
* Why Subscribe?
* Corporate Subscriptions
* Professor Journal
* Student Journal
* WSJ High School Program
* WSJ Amenity Program
* Public Library Program
* WSJ Live
Customer Service
* Customer Center
* Contact Us
Tools & Features
* Emails & Alerts
* Guides
* Topics
* My News
* RSS Feeds
* Video Center
* Watchlist
* Podcasts
* Web Stories
Ads
* Advertise
* Commercial Real Estate Ads
* Place a Classified Ad
* Sell Your Business
* Sell Your Home
* Recruitment & Career Ads
* Coupons
More
* About Us
* Commercial Partnerships
* Content Partnerships
* Corrections
* Jobs at WSJ
* News Archive
* Register for Free
* Reprints & Licensing
* Buy Issues
* WSJ Shop
* Facebook
* Twitter
* Instagram
* YouTube
* Podcasts
* Snapchat
* Google Play
* App Store
Dow Jones Products
* Barron's
* BigCharts
* Dow Jones Newswires
* Factiva
* Financial News
* Mansion Global
* MarketWatch
* Private Markets
* Risk & Compliance
* WSJ Pro
* WSJ Video
* WSJ Wine
* Privacy Notice
* Cookie Notice
* Copyright Policy
* Data Policy
* Subscriber Agreement & Terms of Use
* Your Ad Choices
* Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved.
Copyright © 2021 Dow Jones & Company, Inc. All Rights Reserved