Log4j is an ‘endemic vulnerability’ that will remain for years, report says

15 Jul 2022

Image: © Andreas Prott/Stock.adobe.com

The report said organisations are spending ‘significant resources’ trying to address the Log4j flaw, resulting in high costs and delays to ‘mission-critical work’.

Despite ongoing efforts by organisations to protect their networks, the Log4j vulnerability will likely remain in systems for a decade or longer, according to a new report.

The US department of homeland security shared the report yesterday (14 July), which states the flaw has created some of the most serious vulnerabilities discovered in recent years.

The risk stems from Apache Log4j, a Java-based logging utility used by many of the world’s major tech companies for their web infrastructure, including Microsoft, Apple, Amazon, Cisco, Tesla, Twitter and Baidu.

Last year, it was discovered that the flaw – dubbed Log4Shell – can potentially give a hacker unrestricted access to a company’s computer systems.

Significant risk ahead

In its first report, the Cyber Safety Review Board (CSRB) described the Log4j flaw as an “endemic vulnerability” and that there is significant risk ahead.

The report also said the vulnerability has impacted “virtually every networked organisation” due to how widespread the utility is used.

“Log4j is simple to use, free to download and effective in its intended function, making it popular among Java developers, who have embedded it into thousands of other software packages,” the report said.

The CSRB engaged with nearly 80 organisations and individuals representing software developers, end users, security professionals and companies.

The board said that it has not detected any “significant Log4j-based attacks on critical infrastructure systems”. However, organisations are spending “significant resources” trying to address the flaw.

“One federal cabinet department reported dedicating 33,000 hours to Log4j vulnerability response,” the report said. “These responses, often sustained over many weeks and months, resulted in high costs and delayed other mission-critical work, including responding to other vulnerabilities.”

Despite the risk, CSRB chair and undersecretary for policy at the US homeland security department, Robert Silvers, said the board is confident that the report’s recommendations will “drive change and improve cybersecurity”.

“Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future,” Silvers said.

The report includes 19 recommendations for government and industry to improve their cybersecurity, such as investing in open-source software security, better capabilities to identify vulnerable systems and setting a baseline requirement for software transparency “for federal government vendors”.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com