Log4shell: US demands Christmas Eve deadline for hack fix

Getty Images An illustration featuring small model workmen fixing a problem on a circuit boardGetty Images

US cyber-security officials have ordered federal agencies to protect their systems against a major computer vulnerability by Christmas Eve.

The Cybersecurity and Infrastructure Security Agency (CISA) set a 24 December deadline for security patches.

Security experts have called Log4shell one of the most serious security flaws in the past decade.

CISA head Jen Easterly has called it "a severe risk".

Separately, Microsoft has warned some nation-state hacking groups are using Log4shell.

"Multiple tracked nation-state activity groups originating from China, Iran, North Korea, and Turkey" were using the vulnerability, the company said, for activities ranging from "experimentation" to targeted attacks.

CISA added it to the "Known Exploited Vulnerabilities Catalog" a list of common security flaws that carry significant risk to the federal organisations.

The agency said federal civilian executive-branch agencies must "mitigate" the problem - with IT systems patched with new software - by 24 December.

Getty Images A photo illustration of tiny model workers on a circuitboardGetty Images

A particular concern with Log4shell has been the ease with which it can be used - one security company, Crowdstrike, said it was "trivial" to exploit.

In the past four months, Log4J, the code containing the flaw, has been downloaded 84 million times from the largest public repository of open-source Java components, according to security company Sonatype .

Millions of computers running online services use it for logging or recording events.

"For example, when you buy something online, your username might be written to a log file for later processing," Cloudflare's chief technical officer John Graham-Cumming told BBC News.

"Unfortunately, a flaw in Log4j meant that by using special characters in data that is logged, it is possible to get a machine inside a company to run code that an attacker controls.

"This gives them a foothold inside what would normally be a secure, protected computer."

Cloudflare, which provides internet security and other services meant to help online businesses operate smoothly, implemented measures to protect its users from the vulnerability

It told BBC News it had blocked 1.3 million attempts to use Log4shell in just one hour, on Tuesday.

Updates protecting against the flaw have been issued.

The UK's National Cyber Security Centre has called on companies to "urgently" follow its advice on mitigating the problem and "install the latest updates immediately wherever Log4j is known to be used".

But security news site SC Media reported experts "estimated months to years of finding new instances of this vulnerability across enterprises and vendors".