According to the Cyber Safety Review Board (CSRB) created by American President Joe Biden, a computer vulnerability that was discovered last year in a popular piece of software is an “endemic” problem capable of posing security risks for potentially a decade or more.
The Log4j flaw found last year allows attackers to execute code remotely on a target computer, leading the attacker to steal data, install malware or take control. The exploits of the flaw discovered at that time, included hacking systems to mine cryptocurrency. The Log4j framework is used by developers to record user activity and the behavior of applications. It is distributed for free by Apache Software Foundation (ASF) and is the most popular tool for collecting information.
According to the CSRB report, in November 2021, a security engineer from the Alibaba Cloud Security team reported a vulnerability in the JNDI feature to the ASF. While ASF was working to understand and fix the issue, another party had disclosed the vulnerability to the general public before ASF could make an upgrade available. “Such a disclosure of a significant vulnerability in any widely used piece of software immediately triggers a race between defense and offense: a race to apply upgrades before threat actors exploit vulnerable systems. The Log4j vulnerability was no exception,” the CSRB report mentioned. “Defenders faced a particularly challenging situation; the vulnerability impacted virtually every networked organization and the severity of the threat required fast action. The fact that there is no comprehensive “customer list” for Log4j, or even a list of where it is integrated as a sub-system, hindered defender progress. Enterprises and vendors scrambled to discover where they used Log4j. The pace, pressure, and publicity compounded the defensive challenges: security researchers quickly found additional vulnerabilities in Log4j, contributing to confusion and “patching fatigue”; defenders struggled to distinguish vulnerability scanning by bona fide researchers from threat actors; and responders found it difficult to find authoritative sources of information on how to address the issues. This culminated in one of the most intensive cybersecurity community responses in history.”
As per the report, the Log4j event demonstrates how counterintuitive cybersecurity defense can be, for both individual enterprises and the ecosystem. The event points out the security risks unique to the thinly resourced, volunteer-based open-source community could have.
“The Cyber Safety Review Board has established itself as a new, innovative, and enduring institution in the cybersecurity ecosystem,” said CSRB Chair and DHS Under Secretary for Policy, Robert Silvers. “Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future. Our review of Log4j produced recommendations that we are confident can drive change and improve cybersecurity.”
CSRB recommends that to reduce the recurrence of vulnerabilities like Log4j, public and private sector stakeholders need to create centralized resourcing and security assistance structures that are capable of supporting the open-source community.
To address the continued risks of Log4j, CSRB has asked organizations to be prepared to address Log4j vulnerabilities for years to come and continue to report and escalate observations of Log4j exploitation.
Read next: Cloud-based cryptocurrency miners abuse GitHub Actions and Azure Virtual Machines
