Log4j software bug: What you need to know

The warning itself isn’t uncommon.

But the discovery of the Log4j bug a little more than a week ago boosts the significance.

The agencies are instructed to patch or remove affected software by 5 p.m.

ET on Dec. 23 and report the steps taken by Dec. 28.

The bug in the Java-logging libraryApache Log4jposes risks for huge swathes of the internet.

One of the first known attacks using the vulnerability involved the computer gameMinecraft.

The bug is a so-called zero-day vulnerability.

Security professionals hadn’t created a patch for it before it became known and potentially exploitable.

Experts warn that the vulnerability is being actively exploited.

“The potential for damage is incalculable.”

Here’s what else it’s crucial that you know about the Log4j vulnerability.

Who is affected?

The logging library is popular, in part, because it’s free to use.

That price tag comes with a trade-off: Just a handful of people maintain it.

Paid products, by contrast, usually have large software development and security teams behind them.

Meanwhile, it’s up to the affected companies to patch their software before something bad happens.

“That could take hours, days or even months depending on the organization,” Clay said.

He added that Apache is widely used in devices like smartTVs, DVR systems andsecurity cameras.

“The day they’re unboxed and connected, they’re immediately vulnerable to attack.”

Consumers can’t do much more than update their devices, software and apps when prompted.

That could open up a host of security compromising possibilities.

Those activities could lead to an increase in ransomware attacks down the road, Microsoft said.

Bitdefenderalso reported that it detected attacks carrying a ransomware family known as Khonsari against Windows systems.

Izrael also worries about the potential impact on companies with work-from-home employees.

It’s too soon to tell.

CNET’s Andrew Morse contributed to this report.