To paraphrase the familiar yuletide song, in the world of IT this is “the most speculative time of the year.” True, tying predictions to the regular calendar may be a bit out of sync for much of the business and government world—the federal fiscal year begins on Oct. 1, and here at Synopsys we say Happy First Quarter on Nov. 1. But we all still celebrate the new year on New Year’s Day.

At midnight last Thursday, we experienced one of the most notable infosec events in years. A new zero-day exploit in a popular logging package for Java, Log4j, was discovered. The exact origin and timeline are still being investigated, but it’s important to note that this was not just a vulnerability announcement. The information disclosed was rapidly followed by fully functional exploit code—and the exploit itself turned out to be trivial to execute.

Effective software supply chain risk management requires security measures throughout the entire supply chain. Risk management is a well-understood part of business. Personified, risk management would be a dusty, gray man with a gray beard who asks questions that make you uncomfortable. Risk management is about understanding threats to your business and figuring out how you will deal with them.

The NVD currently lacks a CVSS score for this vulnerability, but the Synopsys Cybersecurity Research Center (CyRC) has issued a corresponding Black Duck® Security Advisory (BDSA), and assigned a CVSS score of 9.1, with links to proof-of-concept exploits. A dangerous, zero day exploit has been identified in log4j, a popular Java logging library. Apache log4j/log4j2 is broadly used within the Java community to implement application logging.

Tim Mackey talks about his journey working in cybersecurity, today’s cyberthreat landscape, and how the industry is evolving.

Broken authentication and local file inclusion leads to information disclosure and remote code execution in the GOautodial API.