After investigating a vulnerability discovered in late 2021 in the Log4j Java Library, the U.S. Department of Homeland Security’s (DHS) Cyber Safety Review Board (CSRB) states in a recently published report that it will remain a threat for many years.
This inaugural CSRB report reveals that despite efforts by federal and private sector organizations to protect their networks, Log4j has become an “endemic vulnerability”, meaning that unpatched versions of the ubiquitous software library will remain in systems for the next decade, if not longer.
The CSRB, created last year as part of a broad executive order by U.S. President Joe Biden to revamp the federal government’s approach to cybersecurity, has spent nearly five months examining the vulnerability. A 15-person panel was commissioned to study how the Log4j vulnerability occurred and what lessons can be learned from the global cybersecurity community’s response.
Rob Silvers, DHS’ undersecretary for policy and panel chair, said board members conducted interviews with approximately 80 organizations and spoke with experts from industry, and foreign governments as well as cybersecurity experts to gather information. The board also spoke with Chinese government officials, as it was an engineer from Alibaba – one of China’s largest cloud computing providers – who initially discovered and reported the vulnerability in the open-source software tool.
The board made 19 recommendations that organizations should follow to increase their vigilance against Log4j. The CSRB findings further suggest raising the bar for security within the cyber community, particularly in the open source realm where software developers have “limited resources” and work on a voluntary basis, said Heather Adkins, Google’s vice president for security engineering, and the panel’s deputy chair
Among the report’s key findings, the CSRB found that software developers, maintainers, vulnerability response teams, and the U.S. government generally compromise on risks regarding the use and integration of software. For example, organizations decided to use Log4j, rather than developing a logging framework from scratch. Similarly, organizations decide to use software from an established organization based on its mature and approved processes.
The Log4j event exposed fundamental gaps in adopting vulnerability response practices and overall cybersecurity hygiene. These gaps have highlighted the challenges of awareness within organizations: coordinating trusted and authoritative sources of information, large-scale mitigation, measuring the magnitude of risk, and synchronizing threat understanding and defensive actions.
Matt Chiodi, managing director of trust at Cerby, a cybersecurity firm, said that Log4j is one of those software components that is ubiquitous, found in applications such as Apache Struts, ElasticSearch, Redis, Kafka and many others, so it is not surprising that the CSRB labels it an “endemic vulnerability”.
He adds that 100 per cent protection against these types of risks is not possible, but they can be contained and minimized by doing two things:
- Getting dead serious about knowing your assets and
- Moving towards a Zero Trust architecture.
The full report is available here.