Log4j Zero-Day: 'It's About as Serious as It Gets'Sam Curry of Cybereason on Criticality of Mitigating Serious Apache Vulnerability
How serious is the Apache Log4j zero-day vulnerability that was announced to the world on Friday? "It's big," says Sam Curry, chief security officer at Cybereason, which has developed a 'vaccine' to help mitigate the vulnerability. "I hate hyperbole generally," Curry says. "But it is a 10 on the criticality scale."
The bug found in the Java logging library Apache Log4j can result in full server takeover and leaves countless applications vulnerable (see: Severe Apache Log4j Vulnerability Threatens Enterprise Apps).
Because of its ubiquity, "It's about as serious as it gets," Curry says. "I don't know yet if it's the [vulnerability] of the decade - we'll see when we hit 2030 - but it's a candidate."
In this audio interview with ISMG, Curry discusses:
- The widespread impact of the Log4j flaw;
- The "vaccine" developed by Cybereason;
- What defenders need to be doing now while adversaries are devising exploits.
Curry, CSO at Cybereason, previously served as chief technology and security officer at Arbor Networks. Prior to that role, he spent more than seven years at RSA - the security division of EMC - in a variety of senior management positions, including chief strategy officer and chief technologist and senior vice president of product management and product marketing. Curry has also held senior roles at Microstrategy, Computer Associates and McAfee.