Joseph Menn

SAN FRANCISCO (Reuters) – Some of the world’s largest technology companies are still struggling to make their products safe from a gaping vulnerability in common logging software a week after hackers began trying to exploit it.

Cisco Systems (NASDAQ:), IBM According to an ongoing tally by the U.S. Cybersecurity and Infrastructure Security Agency (NYSE:), VMware NYSE:, and Splunk NASDAQ:), there was a variety of defective software used by customers by (NYSE:), VMware NYSE:) and Splunk NASDAQ: on Thursday. There were no patches available for Log4j.

The ubiquitous logging software tracks site visits, clicks, and chats.

These efforts by the company highlight the widespread nature of the flaw in open-source software. Researchers and officials have called it the most serious flaw they’ve ever seen.

Chinese technology company’s researcher Alibaba (NASDAQ:). Early this month, the Apache Software Foundation (NASDAQ::) was warned that Log4j would more than just track clicks and chats. It could also monitor links to other sites which could allow a hacker to take over the server.

Apache quickly found a solution. Apache was quick to fix the problem, but thousands of other programs have it. The program’s administrators must distribute and prepare their patches in order to avoid takeovers. This includes free software that is kept up by volunteers and programs made available to companies large or small. Some of these have engineers who work around the clock.

Kevin Beaumont (security threat analyst) said that many vendors do not have security patches to address this vulnerability. Beaumont is part of the CISA list. Open-source software vendors must have better and more public inventories to help them assess the risk to their customers.

Cisco is one of the companies that updates their guidance daily to confirm vulnerabilities and provide patches, or other strategies, for mitigating intrusions.

CISA listed about 20 Cisco products as vulnerable to attacks without a patch. This includes Cisco WebEx Meetings Server, Cisco Umbrella and Cisco Umbrella.

But many more were listed as “under investigation” to see if they were vulnerable as well.

“Cisco has investigated over 200 products and approximately 130 are not vulnerable,” a company spokesperson said. “Many affected products have dates available for software patches.”

VMware is steadily updating an advisory on its site with dozens of impacted products, many with critical vulnerabilities and “patch pending.” Some of those without a patch have workarounds to mitigate the holes.

Splunk provides a similar guide, with helpful tips and tricks for identifying hackers who might be exploiting the flaw.

IBM listed nonvulnerable products but said it “does not confirm or otherwise disclose vulnerabilities externally, even to individual customers, until a fix or remediation is available.” 

CrowdStrike, CrowdStrike and Microsoft (NASDAQ;) all stated they saw nation-state attackers coming from more-equipped U.S. enemies probing for Log4j. However CISA officials claimed Wednesday that they have not seen any government-backed attack or intrusions into U.S. government apparatus.