The critical vulnerability disclosed last week in Java logging package Log4j sent shockwaves throughout the industry given how frequently that open-source library is used to develop enterprise software. Vulnerable code can be found in products from some of the most prominent technology vendors like Cisco, IBM and VMware, and as well as ones serving the MSP community like ConnectWise and N-able.
“Normally a vulnerability is reported privately to the software maintainers, who then have time to repair the issue and release an update, so attackers don‘t gain a temporary advantage,” VMware wrote in a frequently asked questions (FAQ) document posted to its website. “With a zero-day disclosure like this one, attackers have an advantage while software maintainers scramble to develop the fix.”
Vendors with susceptible versions of Log4j code have been hard at work since Friday developing workarounds, patches and updated versions of their products that eliminate the risk of exploitation. However, some of the impacted products won’t be fixed until early 2022, while resolution dates haven’t each been announced for other vulnerable products.