The Log4j vulnerability is nestled in so many different places that exploitation of it will continue to be a cybersecurity issue for the next 10 years, according to the Cyber Safety Review Board.
The notorious Java logging flaw is “endemic” and will not be fully remedied by the open source community or the organizations it plagues, according to a new report. The Log4j vulnerability has been removed by the publisher (Apache Software Foundation), but there is no central means by which to update all of the existing instances of the software out in the wild.
Cybersecurity staff work overtime to contain Log4j vulnerability, at expense of other IT Functions
The Cyber Safety Review Board, sponsored by the federal government and made up of a mix of public and private experts, studied the Log4j vulnerability and the response to it across a variety of organizations. The grim outlook is primarily based on the fact that few organizations have been able to handle the issue well.
It was not at all uncommon for organizations to delay patching the Log4j vulnerability in spite of its seriousness, due either to lack of resources or worry that it would be too disruptive to regular business operations. The Cyber Safety Review Board did find that exploitation of the Log4j vulnerability is not taking place at “high levels” e.g. the compromise of critical infrastructure or financial services, nor are state-backed advanced persistent threat (APT) groups having much luck in exploiting it for their purposes thus far (though millions of attempts have been made to date).
While the Log4j vulnerability is not causing high-level catastrophes, it remains a problem for smaller businesses that do not have dedicated IT staff for these sorts of issues or well-developed cybersecurity programs. Some security experts have also questioned the Cyber Safety Review Board’s methodology in determining that no “serious” attacks have taken place, noting that the study relies on voluntary reporting and organizations were under no obligation to report.
The Cyber Safety Review Board report does not leave organizations empty-handed, offering 19 key mitigation recommendations plus further breakdowns organized by industry type and business size. However, even in an ideal scenario in which resources allow for all of this to be followed to the letter, there are so many instances of the Log4j vulnerability remaining in circulation that it will continue to pop up for a long time to come.
Cyber Safety Review Board indicates problem may not end until current software using old Log4j versions is deprecated
Easily the most commonly used piece of Java logging software, Log4j is deeply embedded in millions of places around the internet and is not necessarily easy to dig up. Patching is fairly simple once it is found, but the trick is finding all of the places it is hiding.
Initial estimates found that hundreds of millions of devices worldwide were likely impacted by the Log4j vulnerability, and likely tens of millions remain susceptible despite a massive awareness campaign and many extra man-hours of labor devoted solely to patching. IT departments continue to struggle to find time to hunt and patch all of these instances; it’s an important thing to do given how easily this vulnerability is to exploit, but it also draws manpower away from other critical issues.